<!doctype html>
<html>
<head>
<meta charset='UTF-8'><meta name='viewport' content='width=device-width initial-scale=1'>

<style type='text/css'>html {overflow-x: initial !important;}:root { --bg-color: #ffffff; --text-color: #333333; --select-text-bg-color: #B5D6FC; --select-text-font-color: auto; --monospace: "Lucida Console",Consolas,"Courier",monospace; --title-bar-height: 20px; }
.mac-os-11 { --title-bar-height: 28px; }
html { font-size: 14px; background-color: var(--bg-color); color: var(--text-color); font-family: "Helvetica Neue", Helvetica, Arial, sans-serif; -webkit-font-smoothing: antialiased; }
h1, h2, h3, h4, h5 { white-space: pre-wrap; }
body { margin: 0px; padding: 0px; height: auto; inset: 0px; font-size: 1rem; line-height: 1.42857143; overflow-x: hidden; background-image: inherit; background-size: inherit; background-attachment: inherit; background-origin: inherit; background-clip: inherit; background-color: inherit; background-position: inherit; background-repeat: inherit; }
iframe { margin: auto; }
a.url { word-break: break-all; }
a:active, a:hover { outline: 0px; }
.in-text-selection, ::selection { text-shadow: none; background: var(--select-text-bg-color); color: var(--select-text-font-color); }
#write { margin: 0px auto; height: auto; width: inherit; word-break: normal; word-wrap: break-word; position: relative; white-space: normal; overflow-x: visible; padding-top: 36px; }
#write.first-line-indent p { text-indent: 2em; }
#write.first-line-indent li p, #write.first-line-indent p * { text-indent: 0px; }
#write.first-line-indent li { margin-left: 2em; }
.for-image #write { padding-left: 8px; padding-right: 8px; }
body.typora-export { padding-left: 30px; padding-right: 30px; }
.typora-export .footnote-line, .typora-export li, .typora-export p { white-space: pre-wrap; }
.typora-export .task-list-item input { pointer-events: none; }
@media screen and (max-width: 500px) {
  body.typora-export { padding-left: 0px; padding-right: 0px; }
  #write { padding-left: 20px; padding-right: 20px; }
}
#write li > figure:last-child { margin-bottom: 0.5rem; }
#write ol, #write ul { position: relative; }
img { max-width: 100%; vertical-align: middle; image-orientation: from-image; }
button, input, select, textarea { color: inherit; font-family: inherit; font-size: inherit; font-style: inherit; font-variant-caps: inherit; font-weight: inherit; font-stretch: inherit; line-height: inherit; }
input[type="checkbox"], input[type="radio"] { line-height: normal; padding: 0px; }
*, ::after, ::before { box-sizing: border-box; }
#write h1, #write h2, #write h3, #write h4, #write h5, #write h6, #write p, #write pre { width: inherit; }
#write h1, #write h2, #write h3, #write h4, #write h5, #write h6, #write p { position: relative; }
p { line-height: inherit; }
h1, h2, h3, h4, h5, h6 { break-after: avoid-page; break-inside: avoid; orphans: 4; }
p { orphans: 4; }
h1 { font-size: 2rem; }
h2 { font-size: 1.8rem; }
h3 { font-size: 1.6rem; }
h4 { font-size: 1.4rem; }
h5 { font-size: 1.2rem; }
h6 { font-size: 1rem; }
.md-math-block, .md-rawblock, h1, h2, h3, h4, h5, h6, p { margin-top: 1rem; margin-bottom: 1rem; }
.hidden { display: none; }
.md-blockmeta { color: rgb(204, 204, 204); font-weight: 700; font-style: italic; }
a { cursor: pointer; }
sup.md-footnote { padding: 2px 4px; background-color: rgba(238, 238, 238, 0.7); color: rgb(85, 85, 85); border-radius: 4px; cursor: pointer; }
sup.md-footnote a, sup.md-footnote a:hover { color: inherit; text-transform: inherit; text-decoration: inherit; }
#write input[type="checkbox"] { cursor: pointer; width: inherit; height: inherit; }
figure { overflow-x: auto; margin: 1.2em 0px; max-width: calc(100% + 16px); padding: 0px; }
figure > table { margin: 0px; }
thead, tr { break-inside: avoid; break-after: auto; }
thead { display: table-header-group; }
table { border-collapse: collapse; border-spacing: 0px; width: 100%; overflow: auto; break-inside: auto; text-align: left; }
table.md-table td { min-width: 32px; }
.CodeMirror-gutters { border-right-width: 0px; background-color: inherit; }
.CodeMirror-linenumber { -webkit-user-select: none; }
.CodeMirror { text-align: left; }
.CodeMirror-placeholder { opacity: 0.3; }
.CodeMirror pre { padding: 0px 4px; }
.CodeMirror-lines { padding: 0px; }
div.hr:focus { cursor: none; }
#write pre { white-space: pre-wrap; }
#write.fences-no-line-wrapping pre { white-space: pre; }
#write pre.ty-contain-cm { white-space: normal; }
.CodeMirror-gutters { margin-right: 4px; }
.md-fences { font-size: 0.9rem; display: block; break-inside: avoid; text-align: left; overflow: visible; white-space: pre; background-image: inherit; background-size: inherit; background-attachment: inherit; background-origin: inherit; background-clip: inherit; background-color: inherit; position: relative !important; background-position: inherit; background-repeat: inherit; }
.md-fences-adv-panel { width: 100%; margin-top: 10px; text-align: center; padding-top: 0px; padding-bottom: 8px; overflow-x: auto; }
#write .md-fences.mock-cm { white-space: pre-wrap; }
.md-fences.md-fences-with-lineno { padding-left: 0px; }
#write.fences-no-line-wrapping .md-fences.mock-cm { white-space: pre; overflow-x: auto; }
.md-fences.mock-cm.md-fences-with-lineno { padding-left: 8px; }
.CodeMirror-line, twitterwidget { break-inside: avoid; }
svg { break-inside: avoid; }
.footnotes { opacity: 0.8; font-size: 0.9rem; margin-top: 1em; margin-bottom: 1em; }
.footnotes + .footnotes { margin-top: 0px; }
.md-reset { margin: 0px; padding: 0px; border: 0px; outline: 0px; vertical-align: top; text-decoration: none; text-shadow: none; float: none; position: static; width: auto; height: auto; white-space: nowrap; cursor: inherit; line-height: normal; font-weight: 400; text-align: left; box-sizing: content-box; direction: ltr; background-position: 0px 0px; }
li div { padding-top: 0px; }
blockquote { margin: 1rem 0px; }
li .mathjax-block, li p { margin: 0.5rem 0px; }
li blockquote { margin: 1rem 0px; }
li { margin: 0px; position: relative; }
blockquote > :last-child { margin-bottom: 0px; }
blockquote > :first-child, li > :first-child { margin-top: 0px; }
.footnotes-area { color: rgb(136, 136, 136); margin-top: 0.714rem; padding-bottom: 0.143rem; white-space: normal; }
#write .footnote-line { white-space: pre-wrap; }
@media print {
  body, html { border: 1px solid transparent; height: 99%; break-after: avoid; break-before: avoid; font-variant-ligatures: no-common-ligatures; }
  #write { margin-top: 0px; border-color: transparent !important; padding-top: 0px !important; padding-bottom: 0px !important; }
  .typora-export * { print-color-adjust: exact; }
  .typora-export #write { break-after: avoid; }
  .typora-export #write::after { height: 0px; }
  .is-mac table { break-inside: avoid; }
  #write > p:nth-child(1) { margin-top: 0px; }
  .typora-export-show-outline .typora-export-sidebar { display: none; }
  figure { overflow-x: visible; }
}
.footnote-line { margin-top: 0.714em; font-size: 0.7em; }
a img, img a { cursor: pointer; }
pre.md-meta-block { font-size: 0.8rem; min-height: 0.8rem; white-space: pre-wrap; background-color: rgb(204, 204, 204); display: block; overflow-x: hidden; }
p > .md-image:only-child:not(.md-img-error) img, p > img:only-child { display: block; margin: auto; }
#write.first-line-indent p > .md-image:only-child:not(.md-img-error) img { left: -2em; position: relative; }
p > .md-image:only-child { display: inline-block; width: 100%; }
#write .MathJax_Display { margin: 0.8em 0px 0px; }
.md-math-block { width: 100%; }
.md-math-block:not(:empty)::after { display: none; }
.MathJax_ref { fill: currentcolor; }
[contenteditable="true"]:active, [contenteditable="true"]:focus, [contenteditable="false"]:active, [contenteditable="false"]:focus { outline: 0px; box-shadow: none; }
.md-task-list-item { position: relative; list-style-type: none; }
.task-list-item.md-task-list-item { padding-left: 0px; }
.md-task-list-item > input { position: absolute; top: 0px; left: 0px; margin-left: -1.2em; margin-top: calc(1em - 10px); border: none; }
.math { font-size: 1rem; }
.md-toc { min-height: 3.58rem; position: relative; font-size: 0.9rem; border-radius: 10px; }
.md-toc-content { position: relative; margin-left: 0px; }
.md-toc-content::after, .md-toc::after { display: none; }
.md-toc-item { display: block; color: rgb(65, 131, 196); }
.md-toc-item a { text-decoration: none; }
.md-toc-inner:hover { text-decoration: underline; }
.md-toc-inner { display: inline-block; cursor: pointer; }
.md-toc-h1 .md-toc-inner { margin-left: 0px; font-weight: 700; }
.md-toc-h2 .md-toc-inner { margin-left: 2em; }
.md-toc-h3 .md-toc-inner { margin-left: 4em; }
.md-toc-h4 .md-toc-inner { margin-left: 6em; }
.md-toc-h5 .md-toc-inner { margin-left: 8em; }
.md-toc-h6 .md-toc-inner { margin-left: 10em; }
@media screen and (max-width: 48em) {
  .md-toc-h3 .md-toc-inner { margin-left: 3.5em; }
  .md-toc-h4 .md-toc-inner { margin-left: 5em; }
  .md-toc-h5 .md-toc-inner { margin-left: 6.5em; }
  .md-toc-h6 .md-toc-inner { margin-left: 8em; }
}
a.md-toc-inner { font-size: inherit; font-style: inherit; font-weight: inherit; line-height: inherit; }
.footnote-line a:not(.reversefootnote) { color: inherit; }
.reversefootnote { font-family: ui-monospace, sans-serif; }
.md-attr { display: none; }
.md-fn-count::after { content: "."; }
code, pre, samp, tt { font-family: var(--monospace); }
kbd { margin: 0px 0.1em; padding: 0.1em 0.6em; font-size: 0.8em; color: rgb(36, 39, 41); background-color: rgb(255, 255, 255); border: 1px solid rgb(173, 179, 185); border-radius: 3px; box-shadow: rgba(12, 13, 14, 0.2) 0px 1px 0px, rgb(255, 255, 255) 0px 0px 0px 2px inset; white-space: nowrap; vertical-align: middle; }
.md-comment { color: rgb(162, 127, 3); opacity: 0.6; font-family: var(--monospace); }
code { text-align: left; }
a.md-print-anchor { white-space: pre !important; border: none !important; display: inline-block !important; position: absolute !important; width: 1px !important; right: 0px !important; outline: 0px !important; text-shadow: initial !important; background-position: 0px 0px !important; }
.os-windows.monocolor-emoji .md-emoji { font-family: "Segoe UI Symbol", sans-serif; }
.md-diagram-panel > svg { max-width: 100%; }
[lang="flow"] svg, [lang="mermaid"] svg { max-width: 100%; height: auto; }
[lang="mermaid"] .node text { font-size: 1rem; }
table tr th { border-bottom-width: 0px; }
video { max-width: 100%; display: block; margin: 0px auto; }
iframe { max-width: 100%; width: 100%; border: none; }
.highlight td, .highlight tr { border: 0px; }
mark { background-color: rgb(255, 255, 0); color: rgb(0, 0, 0); }
.md-html-inline .md-plain, .md-html-inline strong, mark .md-inline-math, mark strong { color: inherit; }
.md-expand mark .md-meta { opacity: 0.3 !important; }
mark .md-meta { color: rgb(0, 0, 0); }
@media print {
  .typora-export h1, .typora-export h2, .typora-export h3, .typora-export h4, .typora-export h5, .typora-export h6 { break-inside: avoid; }
}
.md-diagram-panel .messageText { stroke: none !important; }
.md-diagram-panel .start-state { fill: var(--node-fill); }
.md-diagram-panel .edgeLabel rect { opacity: 1 !important; }
.md-fences.md-fences-math { font-size: 1em; }
.md-fences-advanced:not(.md-focus) { padding: 0px; white-space: nowrap; border: 0px; }
.md-fences-advanced:not(.md-focus) { background-image: inherit; background-size: inherit; background-attachment: inherit; background-origin: inherit; background-clip: inherit; background-color: inherit; background-position: inherit; background-repeat: inherit; }
.typora-export-show-outline .typora-export-content { max-width: 1440px; margin: auto; display: flex; flex-direction: row; }
.typora-export-sidebar { width: 300px; font-size: 0.8rem; margin-top: 80px; margin-right: 18px; }
.typora-export-show-outline #write { --webkit-flex: 2; flex: 2 1 0%; }
.typora-export-sidebar .outline-content { position: fixed; top: 0px; max-height: 100%; overflow: hidden auto; padding-bottom: 30px; padding-top: 60px; width: 300px; }
@media screen and (max-width: 1024px) {
  .typora-export-sidebar, .typora-export-sidebar .outline-content { width: 240px; }
}
@media screen and (max-width: 800px) {
  .typora-export-sidebar { display: none; }
}
.outline-content li, .outline-content ul { margin-left: 0px; margin-right: 0px; padding-left: 0px; padding-right: 0px; list-style: none; overflow-wrap: anywhere; }
.outline-content ul { margin-top: 0px; margin-bottom: 0px; }
.outline-content strong { font-weight: 400; }
.outline-expander { width: 1rem; height: 1.428571429rem; position: relative; display: table-cell; vertical-align: middle; cursor: pointer; padding-left: 4px; }
.outline-expander::before { content: ""; position: relative; font-family: Ionicons; display: inline-block; font-size: 8px; vertical-align: middle; }
.outline-item { padding-top: 3px; padding-bottom: 3px; cursor: pointer; }
.outline-expander:hover::before { content: ""; }
.outline-h1 > .outline-item { padding-left: 0px; }
.outline-h2 > .outline-item { padding-left: 1em; }
.outline-h3 > .outline-item { padding-left: 2em; }
.outline-h4 > .outline-item { padding-left: 3em; }
.outline-h5 > .outline-item { padding-left: 4em; }
.outline-h6 > .outline-item { padding-left: 5em; }
.outline-label { cursor: pointer; display: table-cell; vertical-align: middle; text-decoration: none; color: inherit; }
.outline-label:hover { text-decoration: underline; }
.outline-item:hover { border-color: rgb(245, 245, 245); background-color: var(--item-hover-bg-color); }
.outline-item:hover { margin-left: -28px; margin-right: -28px; border-left-width: 28px; border-left-style: solid; border-left-color: transparent; border-right-width: 28px; border-right-style: solid; border-right-color: transparent; }
.outline-item-single .outline-expander::before, .outline-item-single .outline-expander:hover::before { display: none; }
.outline-item-open > .outline-item > .outline-expander::before { content: ""; }
.outline-children { display: none; }
.info-panel-tab-wrapper { display: none; }
.outline-item-open > .outline-children { display: block; }
.typora-export .outline-item { padding-top: 1px; padding-bottom: 1px; }
.typora-export .outline-item:hover { margin-right: -8px; border-right-width: 8px; border-right-style: solid; border-right-color: transparent; }
.typora-export .outline-expander::before { content: "+"; font-family: inherit; top: -1px; }
.typora-export .outline-expander:hover::before, .typora-export .outline-item-open > .outline-item > .outline-expander::before { content: "−"; }
.typora-export-collapse-outline .outline-children { display: none; }
.typora-export-collapse-outline .outline-item-open > .outline-children, .typora-export-no-collapse-outline .outline-children { display: block; }
.typora-export-no-collapse-outline .outline-expander::before { content: "" !important; }
.typora-export-show-outline .outline-item-active > .outline-item .outline-label { font-weight: 700; }
.md-inline-math-container mjx-container { zoom: 0.95; }
mjx-container { break-inside: avoid; }
.md-alert.md-alert-note { border-left-color: rgb(9, 105, 218); }
.md-alert.md-alert-important { border-left-color: rgb(130, 80, 223); }
.md-alert.md-alert-warning { border-left-color: rgb(154, 103, 0); }
.md-alert.md-alert-tip { border-left-color: rgb(31, 136, 61); }
.md-alert.md-alert-caution { border-left-color: rgb(207, 34, 46); }
.md-alert { padding: 0px 1em; margin-bottom: 16px; color: inherit; border-left-width: 0.25em; border-left-style: solid; border-left-color: rgb(0, 0, 0); }
.md-alert-text-note { color: rgb(9, 105, 218); }
.md-alert-text-important { color: rgb(130, 80, 223); }
.md-alert-text-warning { color: rgb(154, 103, 0); }
.md-alert-text-tip { color: rgb(31, 136, 61); }
.md-alert-text-caution { color: rgb(207, 34, 46); }
.md-alert-text { font-size: 0.9rem; font-weight: 700; }
.md-alert-text svg { fill: currentcolor; position: relative; top: 0.125em; margin-right: 1ch; overflow: visible; }
.md-alert-text-container::after { content: attr(data-text); text-transform: capitalize; pointer-events: none; margin-right: 1ch; }


.CodeMirror { height: auto; }
.CodeMirror.cm-s-inner { background-image: inherit; background-size: inherit; background-attachment: inherit; background-origin: inherit; background-clip: inherit; background-color: inherit; background-position: inherit; background-repeat: inherit; }
.CodeMirror-scroll { overflow: auto hidden; z-index: 3; }
.CodeMirror-gutter-filler, .CodeMirror-scrollbar-filler { background-color: rgb(255, 255, 255); }
.CodeMirror-gutters { border-right-width: 1px; border-right-style: solid; border-right-color: rgb(221, 221, 221); background-image: inherit; background-size: inherit; background-attachment: inherit; background-origin: inherit; background-clip: inherit; background-color: inherit; white-space: nowrap; background-position: inherit; background-repeat: inherit; }
.CodeMirror-linenumber { padding: 0px 3px 0px 5px; text-align: right; color: rgb(153, 153, 153); }
.cm-s-inner .cm-keyword { color: rgb(119, 0, 136); }
.cm-s-inner .cm-atom, .cm-s-inner.cm-atom { color: rgb(34, 17, 153); }
.cm-s-inner .cm-number { color: rgb(17, 102, 68); }
.cm-s-inner .cm-def { color: rgb(0, 0, 255); }
.cm-s-inner .cm-variable { color: rgb(0, 0, 0); }
.cm-s-inner .cm-variable-2 { color: rgb(0, 85, 170); }
.cm-s-inner .cm-variable-3 { color: rgb(0, 136, 85); }
.cm-s-inner .cm-string { color: rgb(170, 17, 17); }
.cm-s-inner .cm-property { color: rgb(0, 0, 0); }
.cm-s-inner .cm-operator { color: rgb(152, 26, 26); }
.cm-s-inner .cm-comment, .cm-s-inner.cm-comment { color: rgb(170, 85, 0); }
.cm-s-inner .cm-string-2 { color: rgb(255, 85, 0); }
.cm-s-inner .cm-meta { color: rgb(85, 85, 85); }
.cm-s-inner .cm-qualifier { color: rgb(85, 85, 85); }
.cm-s-inner .cm-builtin { color: rgb(51, 0, 170); }
.cm-s-inner .cm-bracket { color: rgb(153, 153, 119); }
.cm-s-inner .cm-tag { color: rgb(17, 119, 0); }
.cm-s-inner .cm-attribute { color: rgb(0, 0, 204); }
.cm-s-inner .cm-header, .cm-s-inner.cm-header { color: rgb(0, 0, 255); }
.cm-s-inner .cm-quote, .cm-s-inner.cm-quote { color: rgb(0, 153, 0); }
.cm-s-inner .cm-hr, .cm-s-inner.cm-hr { color: rgb(153, 153, 153); }
.cm-s-inner .cm-link, .cm-s-inner.cm-link { color: rgb(0, 0, 204); }
.cm-negative { color: rgb(221, 68, 68); }
.cm-positive { color: rgb(34, 153, 34); }
.cm-header, .cm-strong { font-weight: 700; }
.cm-del { text-decoration: line-through; }
.cm-em { font-style: italic; }
.cm-link { text-decoration: underline; }
.cm-error { color: red; }
.cm-invalidchar { color: red; }
.cm-constant { color: rgb(38, 139, 210); }
.cm-defined { color: rgb(181, 137, 0); }
div.CodeMirror span.CodeMirror-matchingbracket { color: rgb(0, 255, 0); }
div.CodeMirror span.CodeMirror-nonmatchingbracket { color: rgb(255, 34, 34); }
.cm-s-inner .CodeMirror-activeline-background { background-image: inherit; background-size: inherit; background-attachment: inherit; background-origin: inherit; background-clip: inherit; background-color: inherit; background-position: inherit; background-repeat: inherit; }
.CodeMirror { position: relative; overflow: hidden; }
.CodeMirror-scroll { height: 100%; outline: 0px; position: relative; box-sizing: content-box; background-image: inherit; background-size: inherit; background-attachment: inherit; background-origin: inherit; background-clip: inherit; background-color: inherit; background-position: inherit; background-repeat: inherit; }
.CodeMirror-sizer { position: relative; }
.CodeMirror-gutter-filler, .CodeMirror-hscrollbar, .CodeMirror-scrollbar-filler, .CodeMirror-vscrollbar { position: absolute; z-index: 6; display: none; outline: 0px; }
.CodeMirror-vscrollbar { right: 0px; top: 0px; overflow: hidden; }
.CodeMirror-hscrollbar { bottom: 0px; left: 0px; overflow: auto hidden; }
.CodeMirror-scrollbar-filler { right: 0px; bottom: 0px; }
.CodeMirror-gutter-filler { left: 0px; bottom: 0px; }
.CodeMirror-gutters { position: absolute; left: 0px; top: 0px; padding-bottom: 10px; z-index: 3; overflow-y: hidden; }
.CodeMirror-gutter { white-space: normal; height: 100%; box-sizing: content-box; padding-bottom: 30px; margin-bottom: -32px; display: inline-block; }
.CodeMirror-gutter-wrapper { position: absolute; z-index: 4; border: none !important; background-position: 0px 0px !important; }
.CodeMirror-gutter-background { position: absolute; top: 0px; bottom: 0px; z-index: 4; }
.CodeMirror-gutter-elt { position: absolute; cursor: default; z-index: 4; }
.CodeMirror-lines { cursor: text; }
.CodeMirror pre { border-radius: 0px; border-width: 0px; font-family: inherit; font-size: inherit; margin: 0px; white-space: pre; word-wrap: normal; color: inherit; z-index: 2; position: relative; overflow: visible; background-position: 0px 0px; }
.CodeMirror-wrap pre { word-wrap: break-word; white-space: pre-wrap; word-break: normal; }
.CodeMirror-code pre { border-right-width: 30px; border-right-style: solid; border-right-color: transparent; width: fit-content; }
.CodeMirror-wrap .CodeMirror-code pre { border-right-style: none; width: auto; }
.CodeMirror-linebackground { position: absolute; inset: 0px; z-index: 0; }
.CodeMirror-linewidget { position: relative; z-index: 2; overflow: auto; }
.CodeMirror-wrap .CodeMirror-scroll { overflow-x: hidden; }
.CodeMirror-measure { position: absolute; width: 100%; height: 0px; overflow: hidden; visibility: hidden; }
.CodeMirror-measure pre { position: static; }
.CodeMirror div.CodeMirror-cursor { position: absolute; visibility: hidden; border-right-style: none; width: 0px; }
.CodeMirror div.CodeMirror-cursor { visibility: hidden; }
.CodeMirror-focused div.CodeMirror-cursor { visibility: inherit; }
.cm-searching { background-color: rgba(255, 255, 0, 0.4); }
span.cm-underlined { text-decoration: underline; }
span.cm-strikethrough { text-decoration: line-through; }
.cm-tw-syntaxerror { color: rgb(255, 255, 255); background-color: rgb(153, 0, 0); }
.cm-tw-deleted { text-decoration: line-through; }
.cm-tw-header5 { font-weight: 700; }
.cm-tw-listitem:first-child { padding-left: 10px; }
.cm-tw-box { border-style: solid; border-right-width: 1px; border-bottom-width: 1px; border-left-width: 1px; border-color: inherit; border-top-width: 0px !important; }
.cm-tw-underline { text-decoration: underline; }
@media print {
  .CodeMirror div.CodeMirror-cursor { visibility: hidden; }
}


:root {
  --mermaid-theme: night;
}

[lang='mermaid'] .label {
  color: #333;
}

/* CSS Document */

/** code highlight */

.cm-s-inner .cm-variable,
.cm-s-inner .cm-operator,
.cm-s-inner .cm-property {
    color: #b8bfc6;
}

.cm-s-inner .cm-keyword {
    color: #C88FD0;
}

.cm-s-inner .cm-tag {
    color: #7DF46A;
}

.cm-s-inner .cm-attribute {
    color: #7575E4;
}

.CodeMirror div.CodeMirror-cursor {
    border-left: 1px solid #b8bfc6;
    z-index: 3;
}

.cm-s-inner .cm-string {
    color: #D26B6B;
}

.cm-s-inner .cm-comment,
.cm-s-inner.cm-comment {
    color: #DA924A;
}

.cm-s-inner .cm-header,
.cm-s-inner .cm-def,
.cm-s-inner.cm-header,
.cm-s-inner.cm-def {
    color: #8d8df0;
}

.cm-s-inner .cm-quote,
.cm-s-inner.cm-quote {
    color: #57ac57;
}

.cm-s-inner .cm-hr {
    color: #d8d5d5;
}

.cm-s-inner .cm-link {
    color: #d3d3ef;
}

.cm-s-inner .cm-negative {
    color: #d95050;
}

.cm-s-inner .cm-positive {
    color: #50e650;
}

.cm-s-inner .cm-string-2 {
    color: #f50;
}

.cm-s-inner .cm-meta,
.cm-s-inner .cm-qualifier {
    color: #b7b3b3;
}

.cm-s-inner .cm-builtin {
    color: #f3b3f8;
}

.cm-s-inner .cm-bracket {
    color: #997;
}

.cm-s-inner .cm-atom,
.cm-s-inner.cm-atom {
    color: #84B6CB;
}

.cm-s-inner .cm-number {
    color: #64AB8F;
}

.cm-s-inner .cm-variable {
    color: #b8bfc6;
}

.cm-s-inner .cm-variable-2 {
    color: #9FBAD5;
}

.cm-s-inner .cm-variable-3 {
    color: #1cc685;
}

.CodeMirror-selectedtext,
.CodeMirror-selected {
    background: #4a89dc;
    color: #fff !important;
    text-shadow: none;
}

.CodeMirror-gutters {
    border-right: none;
}

/* CSS Document */

/** markdown source **/
.cm-s-typora-default .cm-header, 
.cm-s-typora-default .cm-property
{
    color: #cebcca;
}

.CodeMirror.cm-s-typora-default div.CodeMirror-cursor{
    border-left: 3px solid #b8bfc6;
}

.cm-s-typora-default .cm-comment {
    color: #9FB1FF;
}

.cm-s-typora-default .cm-string {
    color: #A7A7D9
}

.cm-s-typora-default .cm-atom, .cm-s-typora-default .cm-number {
    color: #848695;
    font-style: italic;
}

.cm-s-typora-default .cm-link {
    color: #95B94B;
}

.cm-s-typora-default .CodeMirror-activeline-background {
    background: rgba(51, 51, 51, 0.72);
}

.cm-s-typora-default .cm-comment, .cm-s-typora-default .cm-code {
	color: #8aa1e1;
}@import "";
@import "";
@import "";

:root {
    --bg-color:  #363B40;
    --side-bar-bg-color: #2E3033;
    --text-color: #b8bfc6;

    --select-text-bg-color:#4a89dc;

    --item-hover-bg-color: #0a0d16;
    --control-text-color: #b7b7b7;
    --control-text-hover-color: #eee;
    --window-border: 1px solid #555;

    --active-file-bg-color: rgb(34, 34, 34);
    --active-file-border-color: #8d8df0;

    --primary-color: #a3d5fe;

    --active-file-text-color: white;
    --item-hover-bg-color: #70717d;
    --item-hover-text-color: white;
    --primary-color: #6dc1e7;

    --rawblock-edit-panel-bd: #333;

    --search-select-bg-color: #428bca;
}

html {
    font-size: 16px;
    -webkit-font-smoothing: antialiased;
}

html,
body {
    -webkit-text-size-adjust: 100%;
    -ms-text-size-adjust: 100%;
    background: #363B40;
    background: var(--bg-color);
    fill: currentColor;
    line-height: 1.625rem;
}

#write {
    max-width: 914px;
}


@media only screen and (min-width: 1400px) {
	#write {
		max-width: 1024px;
	}
}

@media only screen and (min-width: 1800px) {
	#write {
		max-width: 1200px;
	}
}

html,
body,
button,
input,
select,
textarea,
div.code-tooltip-content {
    color: #b8bfc6;
    border-color: transparent;
}

div.code-tooltip,
.md-hover-tip .md-arrow:after {
    background: #333;
}

.native-window #md-notification {
    border: 1px solid #70717d;
}

.popover.bottom > .arrow:after {
    border-bottom-color: #333;
}

html,
body,
button,
input,
select,
textarea {
    font-family: "Helvetica Neue", Helvetica, Arial, 'Segoe UI Emoji', sans-serif;
}

hr {
    height: 2px;
    border: 0;
    margin: 24px 0 !important;
}

h1,
h2,
h3,
h4,
h5,
h6 {
    font-family: "Lucida Grande", "Corbel", sans-serif;
    font-weight: normal;
    clear: both;
    -ms-word-wrap: break-word;
    word-wrap: break-word;
    margin: 0;
    padding: 0;
    color: #DEDEDE
}

h1 {
    font-size: 2.5rem;
    /* 36px */
    line-height: 2.75rem;
    /* 40px */
    margin-bottom: 1.5rem;
    /* 24px */
    letter-spacing: -1.5px;
}

h2 {
    font-size: 1.63rem;
    /* 24px */
    line-height: 1.875rem;
    /* 30px */
    margin-bottom: 1.5rem;
    /* 24px */
    letter-spacing: -1px;
    font-weight: bold;
}

h3 {
    font-size: 1.17rem;
    /* 18px */
    line-height: 1.5rem;
    /* 24px */
    margin-bottom: 1.5rem;
    /* 24px */
    letter-spacing: -1px;
    font-weight: bold;
}

h4 {
    font-size: 1.12rem;
    /* 16px */
    line-height: 1.375rem;
    /* 22px */
    margin-bottom: 1.5rem;
    /* 24px */
    color: white;
}

h5 {
    font-size: 0.97rem;
    /* 16px */
    line-height: 1.25rem;
    /* 22px */
    margin-bottom: 1.5rem;
    /* 24px */
    font-weight: bold;
}

h6 {
    font-size: 0.93rem;
    /* 16px */
    line-height: 1rem;
    /* 16px */
    margin-bottom: 0.75rem;
    color: white;
}

@media (min-width: 980px) {
    h3.md-focus:before,
    h4.md-focus:before,
    h5.md-focus:before,
    h6.md-focus:before {
        color: #ddd;
        border: 1px solid #ddd;
        border-radius: 3px;
        position: absolute;
        left: -1.642857143rem;
        top: .357142857rem;
        float: left;
        font-size: 9px;
        padding-left: 2px;
        padding-right: 2px;
        vertical-align: bottom;
        font-weight: normal;
        line-height: normal;
    }

    h3.md-focus:before {
        content: 'h3';
    }

    h4.md-focus:before {
        content: 'h4';
    }

    h5.md-focus:before {
        content: 'h5';
        top: 0px;
    }

    h6.md-focus:before {
        content: 'h6';
        top: 0px;
    }
}

a {
    text-decoration: none;
    outline: 0;
}

a:hover {
    outline: 0;
}

a:focus {
    outline: thin dotted;
}

sup.md-footnote {
    background-color: #555;
    color: #ddd;
}

p {
    -ms-word-wrap: break-word;
    word-wrap: break-word;
}

p,
ul,
dd,
ol,
hr,
address,
pre,
table,
iframe,
.wp-caption,
.wp-audio-shortcode,
.wp-video-shortcode {
    margin-top: 0;
    margin-bottom: 1.5rem;
    /* 24px */
}

audio:not([controls]) {
    display: none;
}

[hidden] {
    display: none;
}

::-moz-selection {
    background: #4a89dc;
    color: #fff;
    text-shadow: none;
}

*.in-text-selection,
::selection {
    background: #4a89dc;
    color: #fff;
    text-shadow: none;
}

ul,
ol {
    padding: 0 0 0 1.875rem;
    /* 30px */
}

ul {
    list-style: square;
}

ol {
    list-style: decimal;
}

ul ul,
ol ol,
ul ol,
ol ul {
    margin: 0;
}

b,
th,
dt,
strong {
    font-weight: bold;
}

i,
em,
dfn,
cite {
    font-style: italic;
}

blockquote {
    padding-left: 1.875rem;
    margin: 0 0 1.875rem 1.875rem;
    border-left: solid 2px #474d54;
    padding-left: 30px;
    margin-top: 35px;
}

pre,
code,
kbd,
tt,
var {
    font-size: 0.875em;
    font-family: Monaco, Consolas, "Andale Mono", "DejaVu Sans Mono", monospace;
}

code,
tt,
var {
    background: rgba(0, 0, 0, 0.05);
}

kbd {
    padding: 2px 4px;
    font-size: 90%;
    color: #fff;
    background-color: #333;
    border-radius: 3px;
    box-shadow: inset 0 -1px 0 rgba(0,0,0,.25);
}

pre.md-fences {
    padding: 10px 10px 10px 30px;
    margin-bottom: 20px;
    background: #333;
}

.CodeMirror-gutters {
    background: #333;
    border-right: 1px solid transparent;
}

.enable-diagrams pre.md-fences[lang="sequence"] .code-tooltip,
.enable-diagrams pre.md-fences[lang="flow"] .code-tooltip,
.enable-diagrams pre.md-fences[lang="mermaid"] .code-tooltip {
    bottom: -2.2em;
    right: 4px;
}

code,
kbd,
tt,
var {
    padding: 2px 5px;
}

table {
    max-width: 100%;
    width: 100%;
    border-collapse: collapse;
    border-spacing: 0;
}

th,
td {
    padding: 5px 10px;
    vertical-align: top;
}

a {
    -webkit-transition: all .2s ease-in-out;
    transition: all .2s ease-in-out;
}

hr {
    background: #474d54;
    /* variable */
}

h1 {
    margin-top: 2em;
}

a {
    color: #e0e0e0;
    text-decoration: underline;
}

a:hover {
    color: #fff;
}

.md-inline-math script {
    color: #81b1db;
}

b,
th,
dt,
strong {
    color: #DEDEDE;
    /* variable */
}

mark {
    background: #D3D40E;
}

blockquote {
    color: #9DA2A6;
}

table a {
    color: #DEDEDE;
    /* variable */
}

th,
td {
    border: solid 1px #474d54;
    /* variable */
}

.task-list {
    padding-left: 0;
}

.md-task-list-item {
    padding-left: 1.25rem;
}

.md-task-list-item > input {
    top: auto;
}

.md-task-list-item > input:before {
    content: "";
    display: inline-block;
    width: 0.875rem;
    height: 0.875rem;
    vertical-align: middle;
    text-align: center;
    border: 1px solid #b8bfc6;
    background-color: #363B40;
    margin-top: -0.4rem;
}

.md-task-list-item > input:checked:before,
.md-task-list-item > input[checked]:before {
    content: '\221A';
    /*◘*/
    font-size: 0.625rem;
    line-height: 0.625rem;
    color: #DEDEDE;
}

/** quick open **/
.auto-suggest-container {
    border: 0px;
    background-color: #525C65;
}

#typora-quick-open {
    background-color: #525C65;
}

#typora-quick-open input{
    background-color: #525C65;
    border: 0;
    border-bottom: 1px solid grey;
}

.typora-quick-open-item {
    background-color: inherit;
    color: inherit;
}

.typora-quick-open-item.active,
.typora-quick-open-item:hover {
    background-color: #4D8BDB;
    color: white;
}

.typora-quick-open-item:hover {
    background-color: rgba(77, 139, 219, 0.8);
}

.typora-search-spinner > div {
  background-color: #fff;
}

#write pre.md-meta-block {
    border-bottom: 1px dashed #ccc;
    background: transparent;
    padding-bottom: 0.6em;
    line-height: 1.6em;
}

.btn,
.btn .btn-default {
    background: transparent;
    color: #b8bfc6;
}

.ty-table-edit {
    border-top: 1px solid gray;
    background-color: #363B40;
}

.popover-title {
    background: transparent;
}

.md-image>.md-meta {
    color: #BBBBBB;
    background: transparent;
}

.md-expand.md-image>.md-meta {
    color: #DDD;
}

#write>h3:before,
#write>h4:before,
#write>h5:before,
#write>h6:before {
    border: none;
    border-radius: 0px;
    color: #888;
    text-decoration: underline;
    left: -1.4rem;
    top: 0.2rem;
}

#write>h3.md-focus:before {
    top: 2px;
}

#write>h4.md-focus:before {
    top: 2px;
}

.md-toc-item {
    color: #A8C2DC;
}

#write div.md-toc-tooltip {
    background-color: #363B40;
}

.dropdown-menu .btn:hover,
.dropdown-menu .btn:focus,
.md-toc .btn:hover,
.md-toc .btn:focus {
    color: white;
    background: black;
}

#toc-dropmenu {
    background: rgba(50, 54, 59, 0.93);
    border: 1px solid rgba(253, 253, 253, 0.15);
}

#toc-dropmenu .divider {
    background-color: #9b9b9b;
}

.outline-expander:before {
    top: 2px;
}

#typora-sidebar {
    box-shadow: none;
    border-right: 1px dashed;
    border-right: none;
}

.sidebar-tabs {
    border-bottom:0;
}

#typora-sidebar:hover .outline-title-wrapper {
    border-left: 1px dashed;
}

.outline-title-wrapper .btn {
    color: inherit;
}

.outline-item:hover {
    border-color: #363B40;
    background-color: #363B40;
    color: white;
}

h1.md-focus .md-attr,
h2.md-focus .md-attr,
h3.md-focus .md-attr,
h4.md-focus .md-attr,
h5.md-focus .md-attr,
h6.md-focus .md-attr,
.md-header-span .md-attr {
    color: #8C8E92;
    display: inline;
}

.md-comment {
    color: #5a95e3;
    opacity: 0.8;
}

.md-inline-math svg {
    color: #b8bfc6;
}

#math-inline-preview .md-arrow:after {
    background: black;
}

.modal-content {
    background: var(--bg-color);
    border: 0;
}

.modal-title {
    font-size: 1.5em;
}

.modal-content input {
    background-color: rgba(26, 21, 21, 0.51);
    color: white;
}

.modal-content .input-group-addon {
    color: white;
}

.modal-backdrop {
    background-color: rgba(174, 174, 174, 0.7);
}

.modal-content .btn-primary {
    border-color: var(--primary-color);
}

.md-table-resize-popover {
    background-color: #333;
}

.form-inline .input-group .input-group-addon {
    color: white;
}

#md-searchpanel {
    border-bottom: 1px dashed grey;
}

/** UI for electron */

.context-menu,
#spell-check-panel,
#footer-word-count-info {
    background-color: #42464A;
}

.context-menu.dropdown-menu .divider,
.dropdown-menu .divider {
    background-color: #777777;
    opacity: 1;
}

footer {
    color: inherit;
}

@media (max-width: 1000px) {
    footer {
        border-top: none;
    }
    footer:hover {
        color: inherit;
    }
}

#file-info-file-path .file-info-field-value:hover {
    background-color: #555;
    color: #dedede;
}

.megamenu-content,
.megamenu-opened header {
    background: var(--bg-color);
}

.megamenu-menu-panel h2,
.megamenu-menu-panel h1,
.long-btn {
    color: inherit;
}

.megamenu-menu-panel input[type='text'] {
    background: inherit;
    border: 0;
    border-bottom: 1px solid;
}

#recent-file-panel-action-btn {
    background: inherit;
    border: 1px grey solid;
}

.megamenu-menu-panel .dropdown-menu > li > a {
    color: inherit;
    background-color: #2F353A;
    text-decoration: none;
}

.megamenu-menu-panel table td:nth-child(1) {
    color: inherit;
    font-weight: bold;
}

.megamenu-menu-panel tbody tr:hover td:nth-child(1) {
    color: white;
}

.modal-footer .btn-default, 
.modal-footer .btn-primary,
.modal-footer .btn-default:not(:hover) {
    border: 1px solid;
    border-color: transparent;
}

.btn-primary {
    color: white;
}

.btn-default:hover, .btn-default:focus, .btn-default.focus, .btn-default:active, .btn-default.active, .open > .dropdown-toggle.btn-default {
    color: white;
    border: 1px solid #ddd;
    background-color: inherit;
}

.modal-header {
    border-bottom: 0;
}

.modal-footer {
    border-top: 0;
}

#recent-file-panel tbody tr:nth-child(2n-1) {
    background-color: transparent !important;
}

.megamenu-menu-panel tbody tr:hover td:nth-child(2) {
    color: inherit;
}

.megamenu-menu-panel .btn {
    border: 1px solid #eee;
    background: transparent;
}

.mouse-hover .toolbar-icon.btn:hover,
#w-full.mouse-hover,
#w-pin.mouse-hover {
    background-color: inherit;
}

.typora-node::-webkit-scrollbar {
    width: 5px;
}

.typora-node::-webkit-scrollbar-thumb:vertical {
    background: rgba(250, 250, 250, 0.3);
}

.typora-node::-webkit-scrollbar-thumb:vertical:active {
    background: rgba(250, 250, 250, 0.5);
}

#w-unpin {
    background-color: #4182c4;
}

#top-titlebar, #top-titlebar * {
    color: var(--item-hover-text-color);
}

.typora-sourceview-on #toggle-sourceview-btn,
#footer-word-count:hover,
.ty-show-word-count #footer-word-count {
    background: #333333;
}

#toggle-sourceview-btn:hover {
    color: #eee;
    background: #333333;
}

/** focus mode */
.on-focus-mode .md-end-block:not(.md-focus):not(.md-focus-container) * {
    color: #686868 !important;
}

.on-focus-mode .md-end-block:not(.md-focus) img,
.on-focus-mode .md-task-list-item:not(.md-focus-container)>input {
    opacity: #686868 !important;
}

.on-focus-mode li[cid]:not(.md-focus-container){
    color: #686868;
}

.on-focus-mode .md-fences.md-focus .CodeMirror-code>*:not(.CodeMirror-activeline) *,
.on-focus-mode .CodeMirror.cm-s-inner:not(.CodeMirror-focused) * {
    color: #686868 !important;
}

.on-focus-mode .md-focus,
.on-focus-mode .md-focus-container {
    color: #fff;
}

.on-focus-mode #typora-source .CodeMirror-code>*:not(.CodeMirror-activeline) * {
    color: #686868 !important;
}


/*diagrams*/
#write .md-focus .md-diagram-panel {
    border: 1px solid #ddd;
    margin-left: -1px;
    width: calc(100% + 2px);
}

/*diagrams*/
#write .md-focus.md-fences-with-lineno .md-diagram-panel {
    margin-left: auto;
}

.md-diagram-panel-error {
    color: #f1908e;
}

.active-tab-files #info-panel-tab-file,
.active-tab-files #info-panel-tab-file:hover,
.active-tab-outline #info-panel-tab-outline,
.active-tab-outline #info-panel-tab-outline:hover {
    color: #eee;
}

.sidebar-footer-item:hover,
.footer-item:hover {
    background: inherit;
    color: white;
}

.ty-side-sort-btn.active,
.ty-side-sort-btn:hover,
.selected-folder-menu-item a:after {
    color: white;
}

#sidebar-files-menu {
    border:solid 1px;
    box-shadow: 4px 4px 20px rgba(0, 0, 0, 0.79);
    background-color: var(--bg-color);
}

.file-list-item {
    border-bottom:none;
}

.file-list-item-summary {
    opacity: 1;
}

.file-list-item.active:first-child {
    border-top: none;
}

.file-node-background {
    height: 32px;
}

.file-library-node.active>.file-node-content,
.file-list-item.active {
    color: white;
    color: var(--active-file-text-color);
}

.file-library-node.active>.file-node-background{
    background-color: rgb(34, 34, 34);
    background-color: var(--active-file-bg-color);
}
.file-list-item.active {
    background-color: rgb(34, 34, 34);
    background-color: var(--active-file-bg-color);
}

#ty-tooltip {
    background-color: black;
    color: #eee;
}

.md-task-list-item>input {
    margin-left: -1.3em;
    margin-top: 0.3rem;
    -webkit-appearance: none;
}

.md-mathjax-midline {
    background-color: #57616b;
    border-bottom: none;
}

footer.ty-footer {
    border-color: #656565;
}

.ty-preferences .btn-default {
    background: transparent;
}
.ty-preferences .btn-default:hover {
    background: #57616b;
}

.ty-preferences select {
    border: 1px solid #989698;
    height: 21px;
}

.ty-preferences .nav-group-item.active,
.export-item.active,
.export-items-list-control,
.export-detail {
    background: var(--item-hover-bg-color);
}

.ty-preferences input[type="search"] {
    border-color: #333;
    background: #333;
    line-height: 22px;
    border-radius: 6px;
    color: white;
}

.ty-preferences input[type="search"]:focus {
    box-shadow: none;
}

[data-is-directory="true"] .file-node-content {
    margin-bottom: 0;
}

.file-node-title {
    line-height: 22px;
}

.html-for-mac .file-node-open-state, .html-for-mac .file-node-icon {
    line-height: 26px;
}

::-webkit-scrollbar-thumb {
    background: rgba(230, 230, 230, 0.30);
}

::-webkit-scrollbar-thumb:active {
    background: rgba(230, 230, 230, 0.50);
}

#typora-sidebar:hover div.sidebar-content-content::-webkit-scrollbar-thumb:horizontal {
    background: rgba(230, 230, 230, 0.30);
}

.nav-group-item:active {
    background-color: #474d54 !important;
}

.md-search-hit {
    background: rgba(199, 140, 60, 0.81);
    color: #eee;
}

.md-search-hit * {
    color: #eee;
}

#md-searchpanel input {
    color: white;
}

.modal-backdrop.in {
    opacity: 1;
    backdrop-filter: blur(1px);
}

.clear-btn-icon {
    top: 8px;
}

/* try fix https://github.com/typora/typora-issues/issues/5253 */
.file-node-expanded>.file-node-children {
    display: grid;
  }

.md-alert-text-note {
    color: rgb(47, 129, 247);
}
.md-alert-text-important {
    color: rgb(163, 113, 247);
}
.md-alert-text-warning {
    color:  rgb(210, 153, 34);
}

 @media print { @page {margin: 0 0 0 0;} body.typora-export {padding-left: 0; padding-right: 0;} #write {padding:0;}}
</style><title></title>
</head>
<body class='typora-export'><div class='typora-export-content'>
<div id='write'  class=''><h1 id='pve-firewall8-pve防火墙8）'><span>pve-firewall(8) PVE防火墙（8）</span></h1><p><strong><span>Proxmox Server Solutions GmbH</span>
<span>Proxmox 服务器解决方案有限公司</span></strong>
<a href='mailto:[support@proxmox.com](mailto:support@proxmox.com)' target='_blank' class='url'>[support@proxmox.com](mailto:support@proxmox.com)</a>
<span>version 8.2.3, Wed Jul 31 16:58:41 CEST 2024</span>
<span>版本 8.2.3， 星期三 Jul 31 16：58：41 CEST 2024</span></p><h2 id='name-名字'><span>NAME 名字</span></h2><p><span>pve-firewall - PVE Firewall Daemon</span>
<span>pve-firewall - PVE防火墙守护进程</span></p><h2 id='synopsis-概要'><span>SYNOPSIS 概要</span></h2><p><strong><span>pve-firewall</span></strong><span> </span><COMMAND><span> [ARGS] [OPTIONS]</span>
<strong><span>pve-firewall</span></strong><span> </span><COMMAND><span> [参数] [选项]</span></p><p><strong><span>pve-firewall compile PVE-Firewall编译</span></strong></p><p><span>Compile and print firewall rules. This is useful for testing.</span>
<span>编译和打印防火墙规则。这对于测试很有用。</span></p><p><strong><span>pve-firewall help</span></strong><span> [OPTIONS]</span>
<strong><span>pve-firewall 帮助</span></strong><span> [选项]</span></p><p><span>Get help about specified command.</span>
<span>获取有关指定命令的帮助。</span></p><ul><li><p><span>--extra-args </span><array></p><p><span>Shows help for a specific command 显示特定命令的帮助</span></p></li><li><p><span>--verbose </span><boolean><span> --详细 </span><boolean></p><p><span>Verbose output format. 详细的输出格式。</span></p></li></ul><p><strong><span>pve-firewall localnet PVE防火墙本地网</span></strong></p><p><span>Print information about local network.</span>
<span>打印有关本地网络的信息。</span></p><p><strong><span>pve-firewall restart PVE-Firewall 重启</span></strong></p><p><span>Restart the Proxmox VE firewall service.</span>
<span>重新启动 Proxmox VE 防火墙服务。</span></p><p><strong><span>pve-firewall simulate</span></strong><span> [OPTIONS]</span>
<strong><span>pve-firewall 模拟</span></strong><span> [选项]</span></p><p><span>Simulate firewall rules. This does not simulates the kernel </span><em><span>routing</span></em><span> table, but simply assumes that routing from source zone to destination zone is possible.</span>
<span>模拟防火墙规则。这并不模拟内核</span><em><span>路由</span></em><span>表，而只是假设可以从源区域路由到目标区域。</span></p><ul><li><p><span>--dest </span><string></p><p><span>Destination IP address. 目标 IP 地址。</span></p></li><li><p><span>--dport </span><integer></p><p><span>Destination port. 目标端口。</span></p></li><li><p><span>--from (host|outside|vm\d+|ct\d+|(</span>[<span>a-zA-Z</span>][a-zA-Z0-9]<span>{0,9})/(\S+)) (</span><em><span>default =</span></em><span> outside) --from （主机|外部|vm\d+|ct\d+|（</span>[<span>a-zA-Z</span>][a-zA-Z0-9]<span>{0,9})/（\S+）） （</span><em><span>默认值 =</span></em><span> 外部）</span></p><p><span>Source zone. 源区域。</span></p></li><li><p><span>--protocol (tcp|udp) (</span><em><span>default =</span></em><span> tcp) --protocol （tcp|udp） （</span><em><span>默认值 =</span></em><span> tcp）</span></p><p><span>Protocol. 协议。</span></p></li><li><p><span>--source </span><string></p><p><span>Source IP address. 源 IP 地址。</span></p></li><li><p><span>--sport </span><integer></p><p><span>Source port. 源端口。</span></p></li><li><p><span>--to (host|outside|vm\d+|ct\d+|(</span>[<span>a-zA-Z</span>][a-zA-Z0-9]<span>{0,9})/(\S+)) (</span><em><span>default =</span></em><span> host) --to （host|outside|vm\d+|ct\d+|（</span>[<span>a-zA-Z</span>][a-zA-Z0-9]<span>{0,9})/（\S+）） （</span><em><span>默认值 =</span></em><span> 主机）</span></p><p><span>Destination zone. 目标区域。</span></p></li><li><p><span>--verbose </span><boolean><span> (</span><em><span>default =</span></em><span> 0) --verbose </span><boolean><span>（</span><em><span>默认值 =</span></em><span> 0）</span></p><p><span>Verbose output. 详细输出。</span></p></li></ul><p><strong><span>pve-firewall start</span></strong><span> [OPTIONS]</span>
<strong><span>pve-firewall 启动</span></strong><span> [选项]</span></p><p><span>Start the Proxmox VE firewall service.</span>
<span>启动 Proxmox VE 防火墙服务。</span></p><ul><li><p><span>--debug </span><boolean><span> (</span><em><span>default =</span></em><span> 0) --debug </span><boolean><span>（</span><em><span>默认值 =</span></em><span> 0）</span></p><p><span>Debug mode - stay in foreground 调试模式 - 保持在前台</span></p></li></ul><p><strong><span>pve-firewall status PVE-防火墙状态</span></strong></p><p><span>Get firewall status. 获取防火墙状态。</span></p><p><strong><span>pve-firewall stop PVE-防火墙停止</span></strong></p><p><span>Stop the Proxmox VE firewall service. Note, stopping actively removes all Proxmox VE related iptable rules rendering the host potentially unprotected.</span>
<span>停止 Proxmox VE 防火墙服务。请注意，主动停止会删除所有与 Proxmox VE 相关的 iptable 规则，从而使主机可能不受保护。</span></p><h2 id='description-描述'><span>DESCRIPTION 描述</span></h2><p><span>Proxmox VE Firewall provides an easy way to protect your IT infrastructure. You can setup firewall rules for all hosts inside a cluster, or define rules for virtual machines and containers. Features like firewall macros, security groups, IP sets and aliases help to make that task easier.</span>
<span>Proxmox VE 防火墙提供了一种保护您的 IT 基础设施的简单方法。您可以为集群内的所有主机设置防火墙规则，或为虚拟机和容器定义规则。防火墙宏、安全组、IP 集和别名等功能有助于简化该任务。</span></p><p><span>While all configuration is stored on the cluster file system, the iptables-based firewall service runs on each cluster node, and thus provides full isolation between virtual machines. The distributed nature of this system also provides much higher bandwidth than a central firewall solution.</span>
<span>虽然所有配置都存储在集群文件系统上，但基于 iptables 的防火墙服务在每个集群节点上运行，从而在虚拟机之间提供完全隔离。该系统的分布式特性还提供了比中央防火墙解决方案高得多的带宽。</span></p><p><span>The firewall has full support for IPv4 and IPv6. IPv6 support is fully transparent, and we filter traffic for both protocols by default. So there is no need to maintain a different set of rules for IPv6.</span>
<span>防火墙完全支持 IPv4 和 IPv6。IPv6 支持是完全透明的，默认情况下我们会过滤这两种协议的流量。因此，无需为 IPv6 维护一组不同的规则。</span></p><h2 id='zones-区'><span>Zones 区</span></h2><p><span>The Proxmox VE firewall groups the network into the following logical zones:</span>
<span>Proxmox VE防火墙将网络分组为以下逻辑区域：</span></p><ul><li><p><span>Host 主机</span></p><p><span>Traffic from/to a cluster node 来自/流向集群节点的流量</span></p></li><li><p><span>VM 虚拟机</span></p><p><span>Traffic from/to a specific VM 来自/流向特定 VM 的流量</span></p></li></ul><p><span>For each zone, you can define firewall rules for incoming and/or outgoing traffic.</span>
<span>对于每个区域，您可以为传入和/或传出流量定义防火墙规则。</span></p><h2 id='configuration-files-配置文件'><span>Configuration Files 配置文件</span></h2><p><span>All firewall related configuration is stored on the proxmox cluster file system. So those files are automatically distributed to all cluster nodes, and the pve-firewall service updates the underlying iptables rules automatically on changes.</span>
<span>所有与防火墙相关的配置都存储在 proxmox 集群文件系统上。因此，这些文件会自动分发到所有集群节点，并且 pve-firewall 服务会在更改时自动更新底层的 iptables 规则。</span></p><p><span>You can configure anything using the GUI (i.e. </span><strong><span>Datacenter</span></strong><span> → </span><strong><span>Firewall</span></strong><span>, or on a </span><strong><span>Node</span></strong><span> → </span><strong><span>Firewall</span></strong><span>), or you can edit the configuration files directly using your preferred editor.</span>
<span>您可以使用 GUI（即</span><strong><span>数据中心</span></strong><span>→</span><strong><span>防火墙</span></strong><span>，或在 </span><strong><span>Node</span></strong><span> → </span><strong><span>Firewall</span></strong><span>）上配置任何内容，也可以直接使用您喜欢的编辑器编辑配置文件。</span></p><p><span>Firewall configuration files contain sections of key-value pairs. Lines beginning with a # and blank lines are considered comments. Sections start with a header line containing the section name enclosed in [ and ].</span>
<span>防火墙配置文件包含键值对的部分。以 # 开头的行和空行被视为注释。各节以标题行开始，其中包含用 [ 和 ] 括起来的节名。</span></p><h3 id='cluster-wide-setup-集群范围的设置'><span>Cluster Wide Setup 集群范围的设置 </span></h3><p><span>The cluster-wide firewall configuration is stored at:</span>
<span>群集范围的防火墙配置存储在以下位置：</span></p><pre class="md-fences md-end-block ty-contain-cm modeLoaded" spellcheck="false" lang=""><div class="CodeMirror cm-s-inner cm-s-null-scroll CodeMirror-wrap" lang=""><div style="overflow: hidden; position: relative; width: 3px; height: 0px; top: 11px; left: 4px;"><textarea autocorrect="off" autocapitalize="off" spellcheck="false" tabindex="0" style="position: absolute; bottom: -1em; padding: 0px; width: 1000px; height: 1em; outline: none;"></textarea></div><div class="CodeMirror-scrollbar-filler" cm-not-content="true"></div><div class="CodeMirror-gutter-filler" cm-not-content="true"></div><div class="CodeMirror-scroll" tabindex="-1"><div class="CodeMirror-sizer" style="margin-left: 0px; margin-bottom: 0px; border-right-width: 0px; padding-right: 0px; padding-bottom: 0px;"><div style="position: relative; top: 0px;"><div class="CodeMirror-lines" role="presentation"><div role="presentation" style="position: relative; outline: none;"><div class="CodeMirror-measure"><pre><span>xxxxxxxxxx</span></pre></div><div class="CodeMirror-measure"></div><div style="position: relative; z-index: 1;"></div><div class="CodeMirror-code" role="presentation"><div class="CodeMirror-activeline" style="position: relative;"><div class="CodeMirror-activeline-background CodeMirror-linebackground"></div><div class="CodeMirror-gutter-background CodeMirror-activeline-gutter" style="left: 0px; width: 0px;"></div><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">/etc/pve/firewall/cluster.fw</span></pre></div></div></div></div></div></div><div style="position: absolute; height: 0px; width: 1px; border-bottom-width: 0px; border-bottom-style: solid; border-bottom-color: transparent; top: 26px;"></div><div class="CodeMirror-gutters" style="display: none; height: 26px;"></div></div></div></pre><p><span>The configuration can contain the following sections:</span>
<span>配置可以包含以下部分：</span></p><ul><li><p><span>[OPTIONS] [选项]</span></p><p><span>This is used to set cluster-wide firewall options. 这用于设置集群范围的防火墙选项。</span></p></li><li><p><span>ebtables: </span><boolean><span> (</span><em><span>default =</span></em><span> 1) ebtables： </span><boolean><span>（</span><em><span>默认值 =</span></em><span> 1）</span></p><p><span>Enable ebtables rules cluster wide. 在集群范围内启用 ebtables 规则。</span></p></li><li><p><span>enable: </span><integer><span> (0 - N) 启用： </span><integer><span> （0 - N）</span></p><p><span>Enable or disable the firewall cluster wide. 在全范围内启用或禁用防火墙集群。</span></p></li><li><p><span>log_ratelimit: [enable=]&lt;1|0&gt; [,burst=</span><integer><span>] [,rate=</span><rate><span>] log_ratelimit： [enable=]&lt;1|0&gt; [，burst=</span><integer><span>] [，rate=</span><rate><span>]</span></p><p><span>Log ratelimiting settings 日志速率限制设置burst=</span><integer><span> (0 - N) (</span><em><span>default =</span></em><span> 5) burst=</span><integer><span> （0 - N） （</span><em><span>默认值 =</span></em><span> 5）Initial burst of packages which will always get logged before the rate is applied 包裹的初始突发，在应用速率之前将始终被记录下来enable=</span><boolean><span> (</span><em><span>default =</span></em><span> 1) enable=</span><boolean><span>（</span><em><span>默认值 =</span></em><span> 1）Enable or disable log rate limiting 启用或禁用日志速率限制rate=</span><rate><span> (</span><em><span>default =</span></em><span> 1/second) rate=</span><rate><span>（</span><em><span>默认值 =</span></em><span> 1/秒）Frequency with which the burst bucket gets refilled 爆破桶重新填充的频率</span></p></li><li><p><span>policy_in: &lt;ACCEPT | DROP | REJECT&gt; policy_in： &lt;ACCEPT |掉落 |拒绝&gt;</span></p><p><span>Input policy. 输入策略。</span></p></li><li><p><span>policy_out: &lt;ACCEPT | DROP | REJECT&gt; policy_out： &lt;ACCEPT |掉落 |拒绝&gt;</span></p><p><span>Output policy. 输出策略。</span></p></li><li><p><span>[RULES] [规则]</span></p><p><span>This sections contains cluster-wide firewall rules for all nodes. 本部分包含所有节点的群集范围防火墙规则。</span></p></li><li><p><span>[IPSET </span><name><span>] [IPSET的]</span></p><p><span>Cluster wide IP set definitions. 群集范围的 IP 集定义。</span></p></li><li><p><span>[GROUP </span><name><span>] [集团]</span></p><p><span>Cluster wide security group definitions. 集群范围的安全组定义。</span></p></li><li><p><span>[ALIASES] [别名]</span></p><p><span>Cluster wide Alias definitions. 集群范围的别名定义。</span></p></li></ul><h4 id='enabling-the-firewall-启用防火墙'><span>Enabling the Firewall 启用防火墙</span></h4><p><span>The firewall is completely disabled by default, so you need to set the enable option here:</span>
<span>默认情况下，防火墙是完全禁用的，因此您需要在此处设置启用选项：</span></p><pre class="md-fences md-end-block ty-contain-cm modeLoaded" spellcheck="false" lang=""><div class="CodeMirror cm-s-inner cm-s-null-scroll CodeMirror-wrap" lang=""><div style="overflow: hidden; position: relative; width: 3px; height: 0px; top: 11px; left: 4px;"><textarea autocorrect="off" autocapitalize="off" spellcheck="false" tabindex="0" style="position: absolute; bottom: -1em; padding: 0px; width: 1000px; height: 1em; outline: none;"></textarea></div><div class="CodeMirror-scrollbar-filler" cm-not-content="true"></div><div class="CodeMirror-gutter-filler" cm-not-content="true"></div><div class="CodeMirror-scroll" tabindex="-1"><div class="CodeMirror-sizer" style="margin-left: 0px; margin-bottom: 0px; border-right-width: 0px; padding-right: 0px; padding-bottom: 0px;"><div style="position: relative; top: 0px;"><div class="CodeMirror-lines" role="presentation"><div role="presentation" style="position: relative; outline: none;"><div class="CodeMirror-measure"><pre><span>xxxxxxxxxx</span></pre></div><div class="CodeMirror-measure"></div><div style="position: relative; z-index: 1;"></div><div class="CodeMirror-code" role="presentation"><div class="CodeMirror-activeline" style="position: relative;"><div class="CodeMirror-activeline-background CodeMirror-linebackground"></div><div class="CodeMirror-gutter-background CodeMirror-activeline-gutter" style="left: 0px; width: 0px;"></div><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">[OPTIONS]</span></pre></div><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"># enable firewall (cluster-wide setting, default is disabled)</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">enable: 1</span></pre></div></div></div></div></div><div style="position: absolute; height: 0px; width: 1px; border-bottom-width: 0px; border-bottom-style: solid; border-bottom-color: transparent; top: 78px;"></div><div class="CodeMirror-gutters" style="display: none; height: 78px;"></div></div></div></pre><figure class='table-figure'><table><thead><tr><th><img src="data:image/png;base64,%0AiVBORw0KGgoAAAANSUhEUgAAADAAAAAwCAYAAABXAvmHAAALa0lEQVRogdWZa2wc1RXHfzM7O/te%0AP9e1vXHSmEdjx3YeDkkaF6REKRRCEDSEFNkRjdSWSsgC2iqoRWqLQKiqIBg1NOQDiMeHtkQIQkRR%0AS9S4aWwgCQoUgl232KkT28J21l6vd3d2dx79sDuTXdtre03Uqlc62tl53Pv/n3PuOffcKxiGwf9z%0AE//XAL5sk65WR0a6AaDrOjMtKwgCoigiCAKCIAhXa9wvTcAEHhoc5KMjR7jw3nucf+MN67k/GCS4%0AYQOr77yTpl27kGUZm81mXC0ywlLnQDbwEwcO0P2b3yz4jV5RwZq2Nm5/5BH8fj+SJGGz2b4UiSUR%0AMAzD0DSNEwcO8MdHHln8d0AcsAUCfOe551h7yy04HA7sdvuSrVEwAV3XjdDgIC/v2cOl06dznqWA%0AJCAAMvn9MwlEgF1PP8037rsPt9uN3W5fkjUKIqDrujF+4QLP3XQTU0NDOc8UIAa4y8sJtrQQqK/H%0A7XQSfv99Pn/nHQRRxNB16/0EEAUatm9n76uv4vP5cDgcBZNYNIF84I0MEK20lIZvf5sNe/dSWlqK%0A1+vFxBEZHubT3/+evqNHmR4dJRWP55BevW0bra+8gt/vx+l0IknSokksikA+8ElgClixYwc3799P%0AZWUlTqczbz+x0VFOPvEEQ6dPE/niCwxdt0jUbd1K68svU1xcXBCJBQnMBz5eWkrL/v2s++Y3KSsr%0AQxQXlxc7f/5zBjo7CQ8NoadSKKQn943t7dyyf79FYjHuNC8BwzAMVVV56Z57+OzNN3PAJ8vK+FZH%0AB2s2b55X6/nahRMnOP7TnxLOKEXJyO2/+hVf37uXoqIinE6nmfzyksirMjNUvvGjH+WAVwG1vJxb%0ADhxg1bp1uFwuMwQWJCu3bWPN3r24SkoAcGbA/OXXv2bws8+IRqOkUqlZGX1RBAzDMHRd51+nTvHe%0AwYNX7gPTQMO+faxav56SkpIlgTdlU3s7TXv2IGUs6AGioRDH2tuZmJggFouhqirGPCzyEUBVVX7X%0A1pZzPwI0fP/7bNmzh7KysrzADh8+zP3338++ffs4ePBg3vdEUWTDD3/IsuZmRLsdW4bEpd5eOp99%0AlnA4jKIoaJqWl8QsAqb2Txw4kDNp40BxXR0bWlspLy/PC+qZZ55hdHQUSZIYHByko6ODxx57bBZw%0Acy3kq6xk6y9/ib+qCgQBmbQ7nT50iIs9PUSjUZLJJIZhzEliLgKMDQzwp5/9zLqnkQ51W3/xCwKB%0AAE6nMy+B3t5exsfH6ezspLe3l3g8zuHDh2cBz5bKpibWtrXhLi0FwA3owNsPP8zExATxeBxVVecy%0AQC4Bc+L+taNjluvU33031dddN6/2BUGgpKSE/v5+JicncweaA3i2tDz8MIHrr0eU0gsQBzDW10ff%0AyZNEIhESicScrpRDQNd1xgYG+OC3v7XuJQBXIMDWn/yEioqKeUGMjY0hCAKKoszS1MjIyLzfAmx/%0A4gmKli0DQcBJOmicfOopJicnicfjJoG5LWBq/+Szz+a8oABNe/bgdrvndR1BEKiqqiIejxOLxWYR%0ACAaDC0alqjVrqGxowFNWhkDalUKff07f3/5mWSFTLFksLAK6rjN+4UKO9lXAUV7O2tbWeaNOthZl%0AWZ4FHlh0aN3y4IPIHk+6L8AGvNfRQTgctuZCthVEU/u6rnPutddyBk0A9bt3W4us+QY2fbyurg6v%0A15vTzw033LBoAsHmZoLNzdgcDgBcQKi/n391dTE9PU0ymcyxgkmAVCrF+4cO5WjfFgiwfoGwOTOy%0AlJWVUVtba1mkUAKCILClvR1veTkA9owVPnzllZy8YFnA1H5/dzfTw8PWgziwcutWfD4fsiwvCNyU%0AxsZG3G43lZWVVl933XVXQQSq161j+ebNlhXcwBdnzxIOh60lhmkFEUDTNP7++uvWgBrp6mrNHBk3%0AH/BsAtFoFEdm8GAwyMaNGwsiIAgCjbt346uosKwgAp8cPWolNj1THInmsqHn6FGLQApY1thIxcqV%0A+Hy+WX6+0ETesWMHLpcLWZZ54IEHCgYvCAKrbrsNyem0JrQEXMzkhKzlBaKu61z+97+ZHhnJmbwr%0Atm2zJu5CWp8pra2tNDU1sXPnTtrb25dEQBAEvrplC57MXJCB8XPniEQixONxa6Uq6brOQHd3jvvo%0AQP2ttxZUpMxsL7zwwpK+AyxLXrt9Oxe6uxFEEXvGZc4fO0bVD35AMplM1wuapjGYtbugAp5AgKLq%0Aaquu/W/JTEs37dqFqihWzSADk8PD1jzQNC3tQtmrThUINDbm+H4h0tfXx6OPPsodd9xBW1sbPT09%0ABQPPluu2b7fWRxIQ6usjFotZBCRN06wZbbZAfT1FRUWWKQtpzz//PMPDw/T09DA1NcXo6CjHjx+f%0A11Xma95AwHJjEdB0HUVRrhCYuRGrAiXBoFUqFtq6u7sZHx9nJBMUurq65uxnsX0Hm5v56A9/ANIJ%0ALXrpEolEwgqlUqZQyPlo6OOPlzx5ly1bxnBWQmxpackBW6hSBEC02axrpqasNZGmaek8kN0kYPDj%0Aj1FVdUlz4Mknn6Surs4Cb5aUhYZiUy59+GGOgm3V1WiadiUPCILAV9autV5wAaM9PXQeOWJprBBp%0AaGjgxIkTpFIpOjs7aWxsXBJwUwZOnUKZmgLS2zl4vUjSlV1XURRFqtavv3IDKAVe/O53efPxx69a%0ASCxUBs+c4dV77+Vyfz+xy5eBdG3iX7ECm81m9S2JokiwuZmiujrCPT1AuqgOAqcef5zzL77Imt27%0AuemhhyipqVnYZ5cw8bPbR0eOcOall7g8MEB4aIhEJAJk9qOAwKZNyLJsHpQgRKNRIxQK0XPmDH/+%0A3vdQQ6G8na/YtIk199zDypYWVmzceFWAT1y8yMWzZzn/9tv0vfsudqeTlKIQHRvL2QSOAqU7d/K1%0AW2/l2muvpba2Nl3iJhIJIxKJMDw8TO/Zs3zw4x+jTUzkHVCw2fCUleHw+QiuXYu/upqqhgb8VVUY%0AhkFNczPFweCs7z556y3r+vyxYwiiyD+PHwdBwNB1krEYhqYRC4UwdB2D9LJmmnRtXHz77VTfeCPL%0Aly+ntraWmpqa9MaaqqqGoiiEQiGGhoYYHBzk00OHiHR2LkqDNlnG7nJhd7nQswqN+ZogiuipFMlY%0ADDWRgBl5KEF6woqAUFFByc03U756NZWVlSxfvpyamhoCgQAejwdB13VDVVVisRihUIiRkRGGh4cZ%0A+sc/GO3qIt7VhZGJAle7mVpWuVKDCBng8jXX4N68Gc8111BUVER5eTnV1dVUV1cTCASuFFqGYaDr%0AupFKpYjH40xMTDA+Ps7Y2Bjj4+OEw2EmenqYPneO1OAgZCWpxTY9S9QMcLhyHGUDRI8HqbISZ309%0AzoYGnE4nHo8Hv99PaWkpgUCAiooK6/DE4XCkI1HW2a6hqiqKojA9Pc3k5KQl4XCY6elpotFoetuk%0Av59UKIR66RLToRBJTcMYHUWIRvMSMPO6rbY2/SsIOFatQpYk5NWrkSQJWZZxOBy43W68Xi9+v5+i%0AoiJKSkooLi7G5/PhdruRZdnads85HzD3hpLJJIqiEIvFiEajRCIRIpEI0WiUWCxGPB631iOKopBK%0ApazUbi4Oc7Y+snKCzWbDZrMhSRKSJGG3262w6HK5cLlceDwevF4vPp8Pr9eL2+3G5XLhcDjMkxuE%0ATNibdcBhnv9qmkYqlSKZTJJIJFAUhXg8jqIoKIpCIpGwSCSTSVRVtWSuk3qTiAnebrfngHc4HDid%0ATpxOJy6Xy7qWZdk6wZzrxCbvCY1JRNd1NE3LAWgSM69ngp+PgCiK1gF3NhFTzHvmO+Y3wCzw8xLI%0AJpL5tYCZpEyw2f/nWt1ag2UtM0x3Mq1iAp1j+bH0M7KFCGWDnfmbd8AMnuxfUzL/C0rp/wFnFd4n%0AEQn3XQAAAABJRU5ErkJggg==" referrerpolicy="no-referrer" alt="Important"></th><th><span>If you enable the firewall, traffic to all hosts is blocked by default. Only exceptions is WebGUI(8006) and ssh(22) from your local network. 如果启用防火墙，默认情况下将阻止流向所有主机的流量。唯一的例外是来自本地网络的 WebGUI（8006） 和 ssh（22）。</span></th></tr></thead><tbody><tr><td>&nbsp;</td><td>&nbsp;</td></tr></tbody></table></figure><p><span>If you want to administrate your Proxmox VE hosts from remote, you need to create rules to allow traffic from those remote IPs to the web GUI (port 8006). You may also want to allow ssh (port 22), and maybe SPICE (port 3128).</span>
<span>如果要从远程管理Proxmox VE主机，则需要创建规则以允许从这些远程IP到Web GUI（端口8006）的流量。您可能还希望允许 ssh（端口 22），也许还允许 SPICE（端口 3128）。</span></p><figure class='table-figure'><table><thead><tr><th><img src="data:image/png;base64,%0AiVBORw0KGgoAAAANSUhEUgAAADAAAAAwCAYAAABXAvmHAAAKZUlEQVRoge2aa3BU5RmAn3Pbs7fs%0AJmwCRGITk0hVLFAtNWoq6pAiU0cKaYfa6ShT+YN4YbQw9F/8QX+UMv6gM3Q6oxMV6TgIbe10Gq2g%0AcSzDpRaFgmIk4SKB3LP3Pff+SM66m+xuFvEyzvSbeefsbva8+z7nvXzf934RHMfhmzzEr9uAqx3/%0AB/i6xzceQP6iFDmT1cBxHNzCkFsgBEHIXnNeC1f7u1cN4DiOY9s2rliWhWVZWRDHcbJGC4KAJElI%0AkoQoioii6IiieFUgnxvAtm3HNdg0Tbq6uuju7ubYsWP09vYyMjKCpmmoqkokEqGhoYGFCxfS2tpK%0AW1sbiqJkRZIkZxLoikGEK50H3CdumiZ9fX3s3LmT3bt3U1V3A0033cKc2nkEQxV4PSqSJOI4Dpqu%0Ak0gkGLx8kZ4T7zF87iSrV69m3bp1NDY2oqoqHo8HWZa5Uo9cEYBt245lWRiGQUdHB9u2beOe1Y8w%0A/6bFVAT9xJJpYvEUiVSGjG5gmBY4DqIoonoUfF4PoYAfRRE5/8kp3njlD6xfv54tW7YQCATw+Xyu%0AR8r2RtkAtm07pmly5MgRHn/8cZSaZpbcfjd+n5f+wVEGRqJkdCMv3vME8t77vB6qQn4+OX6YsXPH%0A2bp1Ky0tLQQCAVRVdb0xI0RZZdQ1ft++fSxbtozrlqzgrnvvI5nRee9UL+f6h9B0A1EQEIsBiOKE%0ATL7XdJOBkTg1jYtouu1+1qxZw549e4hGo6TTaUzTxLbtGZ/ujEmca/wvHnqYnz/2DLNn19B74TID%0AI9HPjCvwlLMls4RHdMNC8IRZ8dBmnnp6E7Zts2rVKgB8Ph+yLDulPFEyhBzHcUzT5PDhwyxbtow1%0Aj3YQqanmozOfEk2kChuLQ3x0lGQihmM7qF4vVdWz8fr9hYFyoK30OG/ufpYXXniB1tZWwuEwXq8X%0AWZaLJnZJAMuyHE3TuPPOO2lcsoLGpmZO9ZzPM37q0x0ZuISla2xY2077j5ZSFargZM9Znt97gE8u%0ADBb3ziRIfPAcF4/v59VXX6W6uppQKISqqkiSVBCgaA64odPR0YFS00xjUzNnLlwmmkznxbKYI45j%0Ak04mefaZJ3j04VXMqZ6Fx6Pw3QXXs/3Xv6Tp2rnTALL3T8wDBCLz8M2Zz/bt24nFYjPmQ0EAt9b3%0A9fWxbds2ltxxD0NjMQbdmC+QlIIgIIkSoWCAH971/Wk6PYrCg/f/oHiVmhSP6qWm/gY6Ozvp6ekh%0AmUyi6zq2bWeXK+UAYFkWO3fu5N72dQT8Pi5cGp6xuoiiiBoMktH0gl5trp87DbqQBEMRbl32U3bt%0A2kUikUDTtOzypGwAwzDYvXs3316wiEuDoxiGWVaZrAjP4qW/vFUQ4NAHPdlwKQWiqF4qa+ro6uoi%0AkUiQTqcxDKM8ADd8Xn/9dWZdewMVwSCDo7GicT8NSBTZt/8oT259jgOHThBNpIgmUjy3dz/P7z2Q%0Ar2My7gs9FNUXoPpbN9Ld3Z0FKBRG0+YBN3y6u7tpWnAr8WR6+gxLfr03TYNMMolhGFimiWVbXDzb%0Ax4G3/4XgOIiyTF3DdW45nHG2RhBQfX6q65o5evQoy5cvn9BtWUiSRG5FLQhg2zbHjh3j+tsfKFrv%0A3R8EGL7UT23NLNraWmi+ro5r5kSYHakiVOHH7/OiyDKxZIonf9NJIpWZMQcEwOPx4vNXcPr0B2Qy%0AmdxEzrO34ExsWRa9vb3csjzEaP9w1sUFZ1RBQJJk/vjbTdTXzS2kDoBQwI9HmcEDOSJ7PAiiSH9/%0AP7quY5omlmVN01soB3Ach5GREbyqiqabM8a+NxAglcmvPOf7h9jR+WdOfNQLwNtHTzIeT+XFfdGC%0AIAiIogSOQzQaxTRNdy4ozwO2baNpGpIkY1j2RAJTeJ0jCAKRmtmcPHORmkglxz48y/5DJ3jrnUPM%0Ab7iGxx7+MZZls/efR0rG/VQPgwMC2eQtZHxRAABVVbM3lEpgV178azcvvfYOgiCgZTJomsbGR9oR%0ABIHzl4YYGo2VlcCuWOaE5xVFwbbtqVHiCJOZXBQgEomg6zqSKOIUMrqER+LRKItvaubW78wH4NLQ%0AWNmx7+q1DB1ZkgmFQohifqS7xhcFEEWRhoYGEokEqkeeWPLmurcEiGPbpJJJfvbAPVl95/qHJyYv%0AmH5/EdG1FA5QW1ubzZvc8pm1deoHroKFCxcycPkiPlWdnmC5iTxlVk2n0wT9Xu69Y3FW51g8OfH3%0Aye+WnAgnRcukyKQSNDU1Icty7n65NACAJEm0trbSc/zfVAT9JZ/U1NWklslwx/duxqMoWX0Zzcy/%0Abwr0VCDT0NDTSS6f/ZBFixZlN/ySJJXnAVEUaWtrY6DvOIoiFlx5FhPLsrjl5uvzdPq8nsLfL6I3%0AFR1FlhUG+v5LS0tLtmtRlgcEYaL5pCgKq1ev5lzPKfxeT8FwKSQA115Tk6eztjpcsubn6rUMnfj4%0AMLHxIZYuXYrX683rVpQDIIiiiKIorFu3jn+8vIPKCt+0cCkG4m4Bc0fd3OqCoVIIJDo2iCQrvPu3%0AF1m5cmVeu6VQz6hgDrj1t7GxkfXr1/Px+wdRPcr02C+wmgxVVnLm3KU8ffNmVxX03lSgRHSEVGyc%0AoYt9tLe3U19fTzAYzAKUVYVyw0hVVbZs2cJw7/uYyZGSIeCCeFWVd499jGGaWX1zq8OfrYOKeC+T%0AijM+cBHHsRju/Q9r164lFAoRDAbdPfEVAQiiKOLxeAgEAmzdupW/v/A7RLPEyjTHuGjKYMfLb3B5%0AeBzdMNl/+CSmZReN+0wqztDFs4iSxIE9O9mwYQPhcJhwOEwgEMhN4GkEZXUlYrEYe/bs4elfbWLF%0AQ5tQKyJlVaRy+kSJ6AhjA58iihJdf9rBUxufYPny5cyZM6esrkTJxpabzIFAgFWrVmHbNps3b+bu%0An6wnVF2H4lHLmlULgZiGTmxkgGR8DNu2efOV3/PUxo20tbURiUSorKwkEAhkk7fYmLE36rZX0uk0%0A0WiUgwcP0tHRQcW8G5ndsIBgaBYe1TvtyRYDMXWNZGyU+Ngwkiwz+GkfQ73vsWHDBhYvXkwkEmHW%0ArFmEw2G3M1eyR1pWczcXIh6PMz4+zvbt2+ns7OS2+x6kanYdqjeA1xdAUb3IioIoSjg42JaJaejo%0AmTRaOoGeTiHJEvGxYd55rZP29nbWrl1LOBymqqqKyspKKioqyjK+bIBcCE3TSCaTxGIxenp62LVr%0AF11dXdTUL2BO/Xx8/goEUcSxbYSJ2EGS5IlzgnSC/r4PuXzmOEuXLmXlypXU19cTCoUIh8OEQqEr%0A7k5/7vOBdDpNMpkkkUiQSCTo7u7m6NGjnD59mv7+fqLRKIZhoCgKoVCI2tpampqaWLRoES0tLfh8%0APvx+P8FgkGAw+OWfD7gj94RG13U0TSOdTpNOp8lMbmQ0TcvbArrrK1mW8Xg8eL3e7BLB5/N9dSc0%0AuSP3jMwwjKy4G3AXwB0ugAsx5YzMndW//DOy3OFMjGwrxrKs7NX9LBfAneFFUcxec6rU5zqpvCqA%0AqTCT16/0nPgLA/i6xjf+Xw3+B2ll/uiqTaJTAAAAAElFTkSuQmCC" referrerpolicy="no-referrer" alt="Tip"></th><th><span>Please open a SSH connection to one of your Proxmox VE hosts before enabling the firewall. That way you still have access to the host if something goes wrong . 在启用防火墙之前，请打开与您的 Proxmox VE 主机之一的 SSH 连接。这样，如果出现问题，您仍然可以访问主机。</span></th></tr></thead><tbody><tr><td>&nbsp;</td><td>&nbsp;</td></tr></tbody></table></figure><p><span>To simplify that task, you can instead create an IPSet called “management”, and add all remote IPs there. This creates all required firewall rules to access the GUI from remote.</span>
<span>为了简化该任务，您可以改为创建一个名为“management”的 IPSet，并在其中添加所有远程 IP。这将创建从远程访问 GUI 所需的所有防火墙规则。</span></p><h3 id='host-specific-configuration-主机特定配置'><span>Host Specific Configuration 主机特定配置 </span></h3><p><span>Host related configuration is read from:</span>
<span>主机相关配置从以下位置读取：</span></p><pre class="md-fences md-end-block ty-contain-cm modeLoaded" spellcheck="false" lang=""><div class="CodeMirror cm-s-inner cm-s-null-scroll CodeMirror-wrap" lang=""><div style="overflow: hidden; position: relative; width: 3px; height: 0px; top: 11px; left: 4px;"><textarea autocorrect="off" autocapitalize="off" spellcheck="false" tabindex="0" style="position: absolute; bottom: -1em; padding: 0px; width: 1000px; height: 1em; outline: none;"></textarea></div><div class="CodeMirror-scrollbar-filler" cm-not-content="true"></div><div class="CodeMirror-gutter-filler" cm-not-content="true"></div><div class="CodeMirror-scroll" tabindex="-1"><div class="CodeMirror-sizer" style="margin-left: 0px; margin-bottom: 0px; border-right-width: 0px; padding-right: 0px; padding-bottom: 0px;"><div style="position: relative; top: 0px;"><div class="CodeMirror-lines" role="presentation"><div role="presentation" style="position: relative; outline: none;"><div class="CodeMirror-measure"><pre><span>xxxxxxxxxx</span></pre></div><div class="CodeMirror-measure"></div><div style="position: relative; z-index: 1;"></div><div class="CodeMirror-code" role="presentation"><div class="CodeMirror-activeline" style="position: relative;"><div class="CodeMirror-activeline-background CodeMirror-linebackground"></div><div class="CodeMirror-gutter-background CodeMirror-activeline-gutter" style="left: 0px; width: 0px;"></div><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">/etc/pve/nodes/&lt;nodename&gt;/host.fw</span></pre></div></div></div></div></div></div><div style="position: absolute; height: 0px; width: 1px; border-bottom-width: 0px; border-bottom-style: solid; border-bottom-color: transparent; top: 26px;"></div><div class="CodeMirror-gutters" style="display: none; height: 26px;"></div></div></div></pre><p><span>This is useful if you want to overwrite rules from cluster.fw config. You can also increase log verbosity, and set netfilter related options. The configuration can contain the following sections:</span>
<span>如果您想覆盖 cluster.fw 配置中的规则，这将非常有用。您还可以增加日志详细程度，并设置 netfilter 相关选项。配置可以包含以下部分：</span></p><ul><li><p><span>[OPTIONS] [选项]</span></p><p><span>This is used to set host related firewall options. 这用于设置与主机相关的防火墙选项。</span></p></li><li><p><span>enable: </span><boolean><span> 启用： </span><boolean></p><p><span>Enable host firewall rules. 启用主机防火墙规则。</span></p></li><li><p><span>log_level_in: &lt;alert | crit | debug | emerg | err | info | nolog | notice | warning&gt; log_level_in： &lt;alert | crit | debug | emerg | err | info | nolog | notice | warning&gt;</span></p><p><span>Log level for incoming traffic. 传入流量的日志级别。</span></p></li><li><p><span>log_level_out: &lt;alert | crit | debug | emerg | err | info | nolog | notice | warning&gt; log_level_out： &lt;alert | crit | debug | emerg | err | info | nolog | notice | warning&gt;</span></p><p><span>Log level for outgoing traffic. 传出流量的日志级别。</span></p></li><li><p><span>log_nf_conntrack: </span><boolean><span> (</span><em><span>default =</span></em><span> 0) log_nf_conntrack： </span><boolean><span>（</span><em><span>默认值 =</span></em><span> 0）</span></p><p><span>Enable logging of conntrack information. 启用 conntrack 信息的日志记录。</span></p></li><li><p><span>ndp: </span><boolean><span> (</span><em><span>default =</span></em><span> 0) ndp： </span><boolean><span>（</span><em><span>默认值 =</span></em><span> 0）</span></p><p><span>Enable NDP (Neighbor Discovery Protocol). 启用 NDP（邻居发现协议）。</span></p></li><li><p><span>nf_conntrack_allow_invalid: </span><boolean><span> (</span><em><span>default =</span></em><span> 0) nf_conntrack_allow_invalid： </span><boolean><span>（</span><em><span>默认值 =</span></em><span> 0）</span></p><p><span>Allow invalid packets on connection tracking. 允许在连接跟踪中使用无效数据包。</span></p></li><li><p><span>nf_conntrack_helpers: </span><string><span> (</span><em><span>default =</span></em><span> ``) nf_conntrack_helpers： </span><string><span> （</span><em><span>默认值 =</span></em><span> &#39;&#39;）</span></p><p><span>Enable conntrack helpers for specific protocols. Supported protocols: amanda, ftp, irc, netbios-ns, pptp, sane, sip, snmp, tftp 为特定协议启用 conntrack 帮助程序。支持的协议：amanda、ftp、irc、netbios-ns、pptp、sane、sip、snmp、tftp</span></p></li><li><p><span>nf_conntrack_max: </span><integer><span> (32768 - N) (</span><em><span>default =</span></em><span> 262144) nf_conntrack_max： </span><integer><span> （32768 - N） （</span><em><span>默认值 =</span></em><span> 262144）</span></p><p><span>Maximum number of tracked connections. 跟踪的最大连接数。</span></p></li><li><p><span>nf_conntrack_tcp_timeout_established: </span><integer><span> (7875 - N) (</span><em><span>default =</span></em><span> 432000) nf_conntrack_tcp_timeout_established： </span><integer><span> （7875 - N） （</span><em><span>默认值 =</span></em><span> 432000）</span></p><p><span>Conntrack established timeout. Conntrack 已建立超时。</span></p></li><li><p><span>nf_conntrack_tcp_timeout_syn_recv: </span><integer><span> (30 - 60) (</span><em><span>default =</span></em><span> 60) nf_conntrack_tcp_timeout_syn_recv： </span><integer><span> （30 - 60） （</span><em><span>默认值 =</span></em><span> 60）</span></p><p><span>Conntrack syn recv timeout. Conntrack syn recv 超时。</span></p></li><li><p><span>nftables: </span><boolean><span> (</span><em><span>default =</span></em><span> 0) nftables： </span><boolean><span>（</span><em><span>默认值 =</span></em><span> 0）</span></p><p><span>Enable nftables based firewall (tech preview) 启用基于 nftables 的防火墙（技术预览版）</span></p></li><li><p><span>nosmurfs: </span><boolean><span> nosmurfs： </span><boolean></p><p><span>Enable SMURFS filter. 启用 SMURFS 过滤器。</span></p></li><li><p><span>protection_synflood: </span><boolean><span> (</span><em><span>default =</span></em><span> 0) protection_synflood： </span><boolean><span>（</span><em><span>默认值 =</span></em><span> 0）</span></p><p><span>Enable synflood protection 启用 synflood 保护</span></p></li><li><p><span>protection_synflood_burst: </span><integer><span> (</span><em><span>default =</span></em><span> 1000) protection_synflood_burst： </span><integer><span>（</span><em><span>默认值 =</span></em><span> 1000）</span></p><p><span>Synflood protection rate burst by ip src. 通过 ip src 突发的 Synflood 保护率。</span></p></li><li><p><span>protection_synflood_rate: </span><integer><span> (</span><em><span>default =</span></em><span> 200) protection_synflood_rate： </span><integer><span>（</span><em><span>默认值 =</span></em><span> 200）</span></p><p><span>Synflood protection rate syn/sec by ip src. IP src 的 Synflood 保护率 syn/sec。</span></p></li><li><p><span>smurf_log_level: &lt;alert | crit | debug | emerg | err | info | nolog | notice | warning&gt; smurf_log_level： &lt;alert | crit | debug | emerg | err | info | nolog | notice | warning&gt;</span></p><p><span>Log level for SMURFS filter. SMURFS 筛选器的日志级别。</span></p></li><li><p><span>tcp_flags_log_level: &lt;alert | crit | debug | emerg | err | info | nolog | notice | warning&gt; tcp_flags_log_level： &lt;alert | crit | debug | emerg | err | info | nolog | notice | warning&gt;</span></p><p><span>Log level for illegal tcp flags filter. 非法 tcp 标志过滤器的日志级别。</span></p></li><li><p><span>tcpflags: </span><boolean><span> (</span><em><span>default =</span></em><span> 0) tcpflags： </span><boolean><span> （</span><em><span>默认值 =</span></em><span> 0）</span></p><p><span>Filter illegal combinations of TCP flags. 过滤 TCP 标志的非法组合。</span></p></li><li><p><span>[RULES] [规则]</span></p><p><span>This sections contains host specific firewall rules. 本部分包含特定于主机的防火墙规则。</span></p></li></ul><h3 id='vmcontainer-configuration-虚拟机容器配置'><span>VM/Container Configuration 虚拟机/容器配置 </span></h3><p><span>VM firewall configuration is read from:</span>
<span>虚拟机防火墙配置是从以下位置读取的：</span></p><pre class="md-fences md-end-block ty-contain-cm modeLoaded" spellcheck="false" lang=""><div class="CodeMirror cm-s-inner cm-s-null-scroll CodeMirror-wrap" lang=""><div style="overflow: hidden; position: relative; width: 3px; height: 0px; top: 11px; left: 4px;"><textarea autocorrect="off" autocapitalize="off" spellcheck="false" tabindex="0" style="position: absolute; bottom: -1em; padding: 0px; width: 1000px; height: 1em; outline: none;"></textarea></div><div class="CodeMirror-scrollbar-filler" cm-not-content="true"></div><div class="CodeMirror-gutter-filler" cm-not-content="true"></div><div class="CodeMirror-scroll" tabindex="-1"><div class="CodeMirror-sizer" style="margin-left: 0px; margin-bottom: 0px; border-right-width: 0px; padding-right: 0px; padding-bottom: 0px;"><div style="position: relative; top: 0px;"><div class="CodeMirror-lines" role="presentation"><div role="presentation" style="position: relative; outline: none;"><div class="CodeMirror-measure"><pre><span>xxxxxxxxxx</span></pre></div><div class="CodeMirror-measure"></div><div style="position: relative; z-index: 1;"></div><div class="CodeMirror-code" role="presentation"><div class="CodeMirror-activeline" style="position: relative;"><div class="CodeMirror-activeline-background CodeMirror-linebackground"></div><div class="CodeMirror-gutter-background CodeMirror-activeline-gutter" style="left: 0px; width: 0px;"></div><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">/etc/pve/firewall/&lt;VMID&gt;.fw</span></pre></div></div></div></div></div></div><div style="position: absolute; height: 0px; width: 1px; border-bottom-width: 0px; border-bottom-style: solid; border-bottom-color: transparent; top: 26px;"></div><div class="CodeMirror-gutters" style="display: none; height: 26px;"></div></div></div></pre><p><span>and contains the following data:</span>
<span>并包含以下数据：</span></p><ul><li><p><span>[OPTIONS] [选项]</span></p><p><span>This is used to set VM/Container related firewall options. 这用于设置与虚拟机/容器相关的防火墙选项。</span></p></li><li><p><span>dhcp: </span><boolean><span> (</span><em><span>default =</span></em><span> 0) dhcp： </span><boolean><span> （</span><em><span>默认值 =</span></em><span> 0）</span></p><p><span>Enable DHCP. 启用 DHCP。</span></p></li><li><p><span>enable: </span><boolean><span> (</span><em><span>default =</span></em><span> 0) 启用： </span><boolean><span>（</span><em><span>默认值 =</span></em><span> 0）</span></p><p><span>Enable/disable firewall rules. 启用/禁用防火墙规则。</span></p></li><li><p><span>ipfilter: </span><boolean><span> ipfilter： </span><boolean></p><p><span>Enable default IP filters. This is equivalent to adding an empty ipfilter-net</span><id><span> ipset for every interface. Such ipsets implicitly contain sane default restrictions such as restricting IPv6 link local addresses to the one derived from the interface’s MAC address. For containers the configured IP addresses will be implicitly added. 启用默认 IP 过滤器。这相当于为每个接口添加一个空的 ipfilter-net ipset。此类 ipset 隐含了合理的默认限制，例如将 IPv6 链路本地地址限制为从接口的 MAC 地址派生的地址。对于容器，将隐式添加配置的 IP 地址。</span></p></li><li><p><span>log_level_in: &lt;alert | crit | debug | emerg | err | info | nolog | notice | warning&gt; log_level_in： &lt;alert | crit | debug | emerg | err | info | nolog | notice | warning&gt;</span></p><p><span>Log level for incoming traffic. 传入流量的日志级别。</span></p></li><li><p><span>log_level_out: &lt;alert | crit | debug | emerg | err | info | nolog | notice | warning&gt; log_level_out： &lt;alert | crit | debug | emerg | err | info | nolog | notice | warning&gt;</span></p><p><span>Log level for outgoing traffic. 传出流量的日志级别。</span></p></li><li><p><span>macfilter: </span><boolean><span> (</span><em><span>default =</span></em><span> 1) macfilter： </span><boolean><span>（</span><em><span>默认值 =</span></em><span> 1）</span></p><p><span>Enable/disable MAC address filter. 启用/禁用MAC地址过滤器。</span></p></li><li><p><span>ndp: </span><boolean><span> (</span><em><span>default =</span></em><span> 0) ndp： </span><boolean><span>（</span><em><span>默认值 =</span></em><span> 0）</span></p><p><span>Enable NDP (Neighbor Discovery Protocol). 启用 NDP（邻居发现协议）。</span></p></li><li><p><span>policy_in: &lt;ACCEPT | DROP | REJECT&gt; policy_in： &lt;ACCEPT |掉落 |拒绝&gt;</span></p><p><span>Input policy. 输入策略。</span></p></li><li><p><span>policy_out: &lt;ACCEPT | DROP | REJECT&gt; policy_out： &lt;ACCEPT |掉落 |拒绝&gt;</span></p><p><span>Output policy. 输出策略。</span></p></li><li><p><span>radv: </span><boolean><span> radv： </span><boolean></p><p><span>Allow sending Router Advertisement. 允许发送路由器通告。</span></p></li><li><p><span>[RULES] [规则]</span></p><p><span>This sections contains VM/Container firewall rules. 本部分包含 VM/容器防火墙规则。</span></p></li><li><p><span>[IPSET </span><name><span>] [IPSET的]</span></p><p><span>IP set definitions. IP 集定义。</span></p></li><li><p><span>[ALIASES] [别名]</span></p><p><span>IP Alias definitions. IP 别名定义。</span></p></li></ul><h4 id='enabling-the-firewall-for-vms-and-containers-为虚拟机和容器启用防火墙'><span>Enabling the Firewall for VMs and Containers 为虚拟机和容器启用防火墙</span></h4><p><span>Each virtual network device has its own firewall enable flag. So you can selectively enable the firewall for each interface. This is required in addition to the general firewall enable option.</span>
<span>每个虚拟网络设备都有自己的防火墙启用标志。因此，您可以有选择地为每个接口启用防火墙。除了常规防火墙启用选项之外，这是必需的。</span></p><h2 id='firewall-rules-防火墙规则'><span>Firewall Rules 防火墙规则</span></h2><p><span>Firewall rules consists of a direction (IN or OUT) and an action (ACCEPT, DENY, REJECT). You can also specify a macro name. Macros contain predefined sets of rules and options. Rules can be disabled by prefixing them with |.</span>
<span>防火墙规则由方向（IN 或 OUT）和操作（ACCEPT、DENY、REJECT）组成。您还可以指定巨集名称。宏包含预定义的规则和选项集。可以通过在规则前面加上 |，来禁用规则。</span></p><p><span>Firewall rules syntax 防火墙规则语法</span></p><pre class="md-fences md-end-block ty-contain-cm modeLoaded" spellcheck="false" lang=""><div class="CodeMirror cm-s-inner cm-s-null-scroll CodeMirror-wrap" lang=""><div style="overflow: hidden; position: relative; width: 3px; height: 0px; top: 11px; left: 4px;"><textarea autocorrect="off" autocapitalize="off" spellcheck="false" tabindex="0" style="position: absolute; bottom: -1em; padding: 0px; width: 1000px; height: 1em; outline: none;"></textarea></div><div class="CodeMirror-scrollbar-filler" cm-not-content="true"></div><div class="CodeMirror-gutter-filler" cm-not-content="true"></div><div class="CodeMirror-scroll" tabindex="-1"><div class="CodeMirror-sizer" style="margin-left: 0px; margin-bottom: 0px; border-right-width: 0px; padding-right: 0px; padding-bottom: 0px;"><div style="position: relative; top: 0px;"><div class="CodeMirror-lines" role="presentation"><div role="presentation" style="position: relative; outline: none;"><div class="CodeMirror-measure"><pre><span>xxxxxxxxxx</span></pre></div><div class="CodeMirror-measure"></div><div style="position: relative; z-index: 1;"></div><div class="CodeMirror-code" role="presentation" style=""><div class="CodeMirror-activeline" style="position: relative;"><div class="CodeMirror-activeline-background CodeMirror-linebackground"></div><div class="CodeMirror-gutter-background CodeMirror-activeline-gutter" style="left: 0px; width: 0px;"></div><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">[RULES]</span></pre></div><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span cm-text="" cm-zwsp="">
</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">DIRECTION ACTION [OPTIONS]</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">|DIRECTION ACTION [OPTIONS] # disabled rule</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span cm-text="" cm-zwsp="">
</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">DIRECTION MACRO(ACTION) [OPTIONS] # use predefined macro</span></pre></div></div></div></div></div><div style="position: absolute; height: 0px; width: 1px; border-bottom-width: 0px; border-bottom-style: solid; border-bottom-color: transparent; top: 156px;"></div><div class="CodeMirror-gutters" style="display: none; height: 156px;"></div></div></div></pre><p><span>The following options can be used to refine rule matches.</span>
<span>以下选项可用于优化规则匹配。</span></p><ul><li><p><span>--dest </span><string></p><p><span>Restrict packet destination address. This can refer to a single IP address, an IP set (</span><em><span>+ipsetname</span></em><span>) or an IP alias definition. You can also specify an address range like </span><em><span>20.34.101.207-201.3.9.99</span></em><span>, or a list of IP addresses and networks (entries are separated by comma). Please do not mix IPv4 and IPv6 addresses inside such lists. 限制数据包目标地址。这可以引用单个 IP 地址、IP 集 （</span><em><span>+ipsetname</span></em><span>） 或 IP 别名定义。您还可以指定地址范围（如 </span><em><span>20.34.101.207-201.3.9.99</span></em><span>）或 IP 地址和网络列表（条目用逗号分隔）。请不要在此类列表中混用 IPv4 和 IPv6 地址。</span></p></li><li><p><span>--dport </span><string></p><p><span>Restrict TCP/UDP destination port. You can use service names or simple numbers (0-65535), as defined in </span><em><span>/etc/services</span></em><span>. Port ranges can be specified with </span><em><span>\d+:\d+</span></em><span>, for example </span><em><span>80:85</span></em><span>, and you can use comma separated list to match several ports or ranges. 限制 TCP/UDP 目标端口。您可以使用服务名称或简单数字 （0-65535），如 </span><em><span>/etc/services</span></em><span> 中定义。可以使用 </span><em><span>\d+：\d+</span></em><span> 指定端口范围，例如 </span><em><span>80：85</span></em><span>，并且可以使用逗号分隔的列表来匹配多个端口或范围。</span></p></li><li><p><span>--icmp-type </span><string></p><p><span>Specify icmp-type. Only valid if proto equals </span><em><span>icmp</span></em><span> or </span><em><span>icmpv6</span></em><span>/</span><em><span>ipv6-icmp</span></em><span>. 指定 icmp-type。仅当 proto 等于 </span><em><span>icmp</span></em><span> 或 </span><em><span>icmpv6</span></em><span>/</span><em><span>ipv6-icmp</span></em><span> 时才有效。</span></p></li><li><p><span>--iface </span><string></p><p><span>Network interface name. You have to use network configuration key names for VMs and containers (</span><em><span>net\d+</span></em><span>). Host related rules can use arbitrary strings. 网络接口名称。您必须对 VM 和容器 （</span><em><span>net\d+</span></em><span>） 使用网络配置键名称。主机相关规则可以使用任意字符串。</span></p></li><li><p><span>--log &lt;alert | crit | debug | emerg | err | info | nolog | notice | warning&gt;</span></p><p><span>Log level for firewall rule. 防火墙规则的日志级别。</span></p></li><li><p><span>--proto </span><string></p><p><span>IP protocol. You can use protocol names (</span><em><span>tcp</span></em><span>/</span><em><span>udp</span></em><span>) or simple numbers, as defined in </span><em><span>/etc/protocols</span></em><span>. IP 协议。您可以使用协议名称 （</span><em><span>tcp</span></em><span>/</span><em><span>udp</span></em><span>） 或简单数字，如 </span><em><span>/etc/protocols</span></em><span> 中定义。</span></p></li><li><p><span>--source </span><string></p><p><span>Restrict packet source address. This can refer to a single IP address, an IP set (</span><em><span>+ipsetname</span></em><span>) or an IP alias definition. You can also specify an address range like </span><em><span>20.34.101.207-201.3.9.99</span></em><span>, or a list of IP addresses and networks (entries are separated by comma). Please do not mix IPv4 and IPv6 addresses inside such lists. 限制数据包源地址。这可以引用单个 IP 地址、IP 集 （</span><em><span>+ipsetname</span></em><span>） 或 IP 别名定义。您还可以指定地址范围（如 </span><em><span>20.34.101.207-201.3.9.99</span></em><span>）或 IP 地址和网络列表（条目用逗号分隔）。请不要在此类列表中混用 IPv4 和 IPv6 地址。</span></p></li><li><p><span>--sport </span><string><span> --运动 </span><string></p><p><span>Restrict TCP/UDP source port. You can use service names or simple numbers (0-65535), as defined in </span><em><span>/etc/services</span></em><span>. Port ranges can be specified with </span><em><span>\d+:\d+</span></em><span>, for example </span><em><span>80:85</span></em><span>, and you can use comma separated list to match several ports or ranges. 限制 TCP/UDP 源端口。您可以使用服务名称或简单数字 （0-65535），如 </span><em><span>/etc/services</span></em><span> 中定义。可以使用 </span><em><span>\d+：\d+</span></em><span> 指定端口范围，例如 </span><em><span>80：85</span></em><span>，并且可以使用逗号分隔的列表来匹配多个端口或范围。</span></p></li></ul><p><span>Here are some examples: 以下是一些示例：</span></p><pre class="md-fences md-end-block ty-contain-cm modeLoaded" spellcheck="false" lang=""><div class="CodeMirror cm-s-inner cm-s-null-scroll CodeMirror-wrap" lang=""><div style="overflow: hidden; position: relative; width: 3px; height: 0px; top: 11px; left: 4px;"><textarea autocorrect="off" autocapitalize="off" spellcheck="false" tabindex="0" style="position: absolute; bottom: -1em; padding: 0px; width: 1000px; height: 1em; outline: none;"></textarea></div><div class="CodeMirror-scrollbar-filler" cm-not-content="true"></div><div class="CodeMirror-gutter-filler" cm-not-content="true"></div><div class="CodeMirror-scroll" tabindex="-1"><div class="CodeMirror-sizer" style="margin-left: 0px; margin-bottom: 0px; border-right-width: 0px; padding-right: 0px; padding-bottom: 0px;"><div style="position: relative; top: 0px;"><div class="CodeMirror-lines" role="presentation"><div role="presentation" style="position: relative; outline: none;"><div class="CodeMirror-measure"><pre><span>xxxxxxxxxx</span></pre></div><div class="CodeMirror-measure"></div><div style="position: relative; z-index: 1;"></div><div class="CodeMirror-code" role="presentation" style=""><div class="CodeMirror-activeline" style="position: relative;"><div class="CodeMirror-activeline-background CodeMirror-linebackground"></div><div class="CodeMirror-gutter-background CodeMirror-activeline-gutter" style="left: 0px; width: 0px;"></div><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">[RULES]</span></pre></div><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">IN SSH(ACCEPT) -i net0</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">IN SSH(ACCEPT) -i net0 # a comment</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">IN SSH(ACCEPT) -i net0 -source 192.168.2.192 # only allow SSH from 192.168.2.192</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">IN SSH(ACCEPT) -i net0 -source 10.0.0.1-10.0.0.10 # accept SSH for IP range</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">IN SSH(ACCEPT) -i net0 -source 10.0.0.1,10.0.0.2,10.0.0.3 #accept ssh for IP list</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">IN SSH(ACCEPT) -i net0 -source +mynetgroup # accept ssh for ipset mynetgroup</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">IN SSH(ACCEPT) -i net0 -source myserveralias #accept ssh for alias myserveralias</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span cm-text="" cm-zwsp="">
</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">|IN SSH(ACCEPT) -i net0 # disabled rule</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span cm-text="" cm-zwsp="">
</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">IN  DROP # drop all incoming packages</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">OUT ACCEPT # accept all outgoing packages</span></pre></div></div></div></div></div><div style="position: absolute; height: 0px; width: 1px; border-bottom-width: 0px; border-bottom-style: solid; border-bottom-color: transparent; top: 468px;"></div><div class="CodeMirror-gutters" style="display: none; height: 468px;"></div></div></div></pre><h2 id='security-groups-安全组'><span>Security Groups 安全组</span></h2><p><span>A security group is a collection of rules, defined at cluster level, which can be used in all VMs&#39; rules. For example you can define a group named “webserver” with rules to open the </span><em><span>http</span></em><span> and </span><em><span>https</span></em><span> ports.</span>
<span>安全组是在集群级别定义的规则集合，可用于所有虚拟机的规则。例如，您可以定义一个名为“webserver”的组，其中包含打开 </span><em><span>http</span></em><span> 和 </span><em><span>https</span></em><span> 端口的规则。</span></p><pre class="md-fences md-end-block ty-contain-cm modeLoaded" spellcheck="false" lang=""><div class="CodeMirror cm-s-inner cm-s-null-scroll CodeMirror-wrap" lang=""><div style="overflow: hidden; position: relative; width: 3px; height: 0px; top: 11px; left: 4px;"><textarea autocorrect="off" autocapitalize="off" spellcheck="false" tabindex="0" style="position: absolute; bottom: -1em; padding: 0px; width: 1000px; height: 1em; outline: none;"></textarea></div><div class="CodeMirror-scrollbar-filler" cm-not-content="true"></div><div class="CodeMirror-gutter-filler" cm-not-content="true"></div><div class="CodeMirror-scroll" tabindex="-1"><div class="CodeMirror-sizer" style="margin-left: 0px; margin-bottom: 0px; border-right-width: 0px; padding-right: 0px; padding-bottom: 0px;"><div style="position: relative; top: 0px;"><div class="CodeMirror-lines" role="presentation"><div role="presentation" style="position: relative; outline: none;"><div class="CodeMirror-measure"><pre><span>xxxxxxxxxx</span></pre></div><div class="CodeMirror-measure"></div><div style="position: relative; z-index: 1;"></div><div class="CodeMirror-code" role="presentation" style=""><div class="CodeMirror-activeline" style="position: relative;"><div class="CodeMirror-activeline-background CodeMirror-linebackground"></div><div class="CodeMirror-gutter-background CodeMirror-activeline-gutter" style="left: 0px; width: 0px;"></div><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"># /etc/pve/firewall/cluster.fw</span></pre></div><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span cm-text="" cm-zwsp="">
</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">[group webserver]</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">IN  ACCEPT -p tcp -dport 80</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">IN  ACCEPT -p tcp -dport 443</span></pre></div></div></div></div></div><div style="position: absolute; height: 0px; width: 1px; border-bottom-width: 0px; border-bottom-style: solid; border-bottom-color: transparent; top: 130px;"></div><div class="CodeMirror-gutters" style="display: none; height: 130px;"></div></div></div></pre><p><span>Then, you can add this group to a VM’s firewall</span>
<span>然后，可以将此组添加到 VM 的防火墙</span></p><pre class="md-fences md-end-block ty-contain-cm modeLoaded" spellcheck="false" lang=""><div class="CodeMirror cm-s-inner cm-s-null-scroll CodeMirror-wrap" lang=""><div style="overflow: hidden; position: relative; width: 3px; height: 0px; top: 11px; left: 4px;"><textarea autocorrect="off" autocapitalize="off" spellcheck="false" tabindex="0" style="position: absolute; bottom: -1em; padding: 0px; width: 1000px; height: 1em; outline: none;"></textarea></div><div class="CodeMirror-scrollbar-filler" cm-not-content="true"></div><div class="CodeMirror-gutter-filler" cm-not-content="true"></div><div class="CodeMirror-scroll" tabindex="-1"><div class="CodeMirror-sizer" style="margin-left: 0px; margin-bottom: 0px; border-right-width: 0px; padding-right: 0px; padding-bottom: 0px;"><div style="position: relative; top: 0px;"><div class="CodeMirror-lines" role="presentation"><div role="presentation" style="position: relative; outline: none;"><div class="CodeMirror-measure"><pre><span>xxxxxxxxxx</span></pre></div><div class="CodeMirror-measure"></div><div style="position: relative; z-index: 1;"></div><div class="CodeMirror-code" role="presentation"><div class="CodeMirror-activeline" style="position: relative;"><div class="CodeMirror-activeline-background CodeMirror-linebackground"></div><div class="CodeMirror-gutter-background CodeMirror-activeline-gutter" style="left: 0px; width: 0px;"></div><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"># /etc/pve/firewall/&lt;VMID&gt;.fw</span></pre></div><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span cm-text="" cm-zwsp="">
</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">[RULES]</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">GROUP webserver</span></pre></div></div></div></div></div><div style="position: absolute; height: 0px; width: 1px; border-bottom-width: 0px; border-bottom-style: solid; border-bottom-color: transparent; top: 104px;"></div><div class="CodeMirror-gutters" style="display: none; height: 104px;"></div></div></div></pre><h2 id='ip-aliases-ip-别名'><span>IP Aliases IP 别名</span></h2><p><span>IP Aliases allow you to associate IP addresses of networks with a name. You can then refer to those names:</span>
<span>IP 别名允许您将网络的 IP 地址与名称相关联。然后，您可以引用这些名称：</span></p><ul><li><p><span>inside IP set definitions</span>
<span>内部 IP 集定义</span></p></li><li><p><span>in source and dest properties of firewall rules</span>
<span>在防火墙规则的源和目标属性中</span></p></li></ul><h3 id='standard-ip-alias-localnetwork-标准-ip-别名-localnetwork'><span>Standard IP Alias local_network 标准 IP 别名 local_network </span></h3><p><span>This alias is automatically defined. Please use the following command to see assigned values:</span>
<span>此别名是自动定义的。请使用以下命令查看分配的值：</span></p><pre class="md-fences md-end-block ty-contain-cm modeLoaded" spellcheck="false" lang=""><div class="CodeMirror cm-s-inner cm-s-null-scroll CodeMirror-wrap" lang=""><div style="overflow: hidden; position: relative; width: 3px; height: 0px; top: 11px; left: 4px;"><textarea autocorrect="off" autocapitalize="off" spellcheck="false" tabindex="0" style="position: absolute; bottom: -1em; padding: 0px; width: 1000px; height: 1em; outline: none;"></textarea></div><div class="CodeMirror-scrollbar-filler" cm-not-content="true"></div><div class="CodeMirror-gutter-filler" cm-not-content="true"></div><div class="CodeMirror-scroll" tabindex="-1"><div class="CodeMirror-sizer" style="margin-left: 0px; margin-bottom: 0px; border-right-width: 0px; padding-right: 0px; padding-bottom: 0px;"><div style="position: relative; top: 0px;"><div class="CodeMirror-lines" role="presentation"><div role="presentation" style="position: relative; outline: none;"><div class="CodeMirror-measure"><pre><span>xxxxxxxxxx</span></pre></div><div class="CodeMirror-measure"></div><div style="position: relative; z-index: 1;"></div><div class="CodeMirror-code" role="presentation" style=""><div class="CodeMirror-activeline" style="position: relative;"><div class="CodeMirror-activeline-background CodeMirror-linebackground"></div><div class="CodeMirror-gutter-background CodeMirror-activeline-gutter" style="left: 0px; width: 0px;"></div><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"># pve-firewall localnet</span></pre></div><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">local hostname: example</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">local IP address: 192.168.2.100</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">network auto detect: 192.168.0.0/20</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">using detected local_network: 192.168.0.0/20</span></pre></div></div></div></div></div><div style="position: absolute; height: 0px; width: 1px; border-bottom-width: 0px; border-bottom-style: solid; border-bottom-color: transparent; top: 130px;"></div><div class="CodeMirror-gutters" style="display: none; height: 130px;"></div></div></div></pre><p><span>The firewall automatically sets up rules to allow everything needed for cluster communication (corosync, API, SSH) using this alias.</span>
<span>防火墙会自动设置规则，以允许使用此别名进行集群通信（corosync、API、SSH）所需的一切。</span></p><p><span>The user can overwrite these values in the cluster.fw alias section. If you use a single host on a public network, it is better to explicitly assign the local IP address</span>
<span>用户可以在 cluster.fw 别名部分中覆盖这些值。如果在公共网络上使用单个主机，则最好明确分配本地 IP 地址</span></p><pre class="md-fences md-end-block ty-contain-cm modeLoaded" spellcheck="false" lang=""><div class="CodeMirror cm-s-inner cm-s-null-scroll CodeMirror-wrap" lang=""><div style="overflow: hidden; position: relative; width: 3px; height: 0px; top: 11px; left: 4px;"><textarea autocorrect="off" autocapitalize="off" spellcheck="false" tabindex="0" style="position: absolute; bottom: -1em; padding: 0px; width: 1000px; height: 1em; outline: none;"></textarea></div><div class="CodeMirror-scrollbar-filler" cm-not-content="true"></div><div class="CodeMirror-gutter-filler" cm-not-content="true"></div><div class="CodeMirror-scroll" tabindex="-1"><div class="CodeMirror-sizer" style="margin-left: 0px; margin-bottom: 0px; border-right-width: 0px; padding-right: 0px; padding-bottom: 0px;"><div style="position: relative; top: 0px;"><div class="CodeMirror-lines" role="presentation"><div role="presentation" style="position: relative; outline: none;"><div class="CodeMirror-measure"><pre><span>xxxxxxxxxx</span></pre></div><div class="CodeMirror-measure"></div><div style="position: relative; z-index: 1;"></div><div class="CodeMirror-code" role="presentation"><div class="CodeMirror-activeline" style="position: relative;"><div class="CodeMirror-activeline-background CodeMirror-linebackground"></div><div class="CodeMirror-gutter-background CodeMirror-activeline-gutter" style="left: 0px; width: 0px;"></div><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">#  /etc/pve/firewall/cluster.fw</span></pre></div><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">[ALIASES]</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">local_network 1.2.3.4 # use the single IP address</span></pre></div></div></div></div></div><div style="position: absolute; height: 0px; width: 1px; border-bottom-width: 0px; border-bottom-style: solid; border-bottom-color: transparent; top: 78px;"></div><div class="CodeMirror-gutters" style="display: none; height: 78px;"></div></div></div></pre><h2 id='ip-sets-ip-集'><span>IP Sets IP 集</span></h2><p><span>IP sets can be used to define groups of networks and hosts. You can refer to them with ‘+name` in the firewall rules’ source and dest properties.</span>
<span>IP 集可用于定义网络组和主机组。您可以在防火墙规则的 source 和 dest 属性中使用“+name”来引用它们。</span></p><p><span>The following example allows HTTP traffic from the management IP set.</span>
<span>以下示例允许来自管理 IP 集的 HTTP 流量。</span></p><pre class="md-fences md-end-block ty-contain-cm modeLoaded" spellcheck="false" lang=""><div class="CodeMirror cm-s-inner cm-s-null-scroll CodeMirror-wrap" lang=""><div style="overflow: hidden; position: relative; width: 3px; height: 0px; top: 11px; left: 4px;"><textarea autocorrect="off" autocapitalize="off" spellcheck="false" tabindex="0" style="position: absolute; bottom: -1em; padding: 0px; width: 1000px; height: 1em; outline: none;"></textarea></div><div class="CodeMirror-scrollbar-filler" cm-not-content="true"></div><div class="CodeMirror-gutter-filler" cm-not-content="true"></div><div class="CodeMirror-scroll" tabindex="-1"><div class="CodeMirror-sizer" style="margin-left: 0px; margin-bottom: 0px; border-right-width: 0px; padding-right: 0px; padding-bottom: 0px;"><div style="position: relative; top: 0px;"><div class="CodeMirror-lines" role="presentation"><div role="presentation" style="position: relative; outline: none;"><div class="CodeMirror-measure"><pre><span>xxxxxxxxxx</span></pre></div><div class="CodeMirror-measure"></div><div style="position: relative; z-index: 1;"></div><div class="CodeMirror-code" role="presentation"><div class="CodeMirror-activeline" style="position: relative;"><div class="CodeMirror-activeline-background CodeMirror-linebackground"></div><div class="CodeMirror-gutter-background CodeMirror-activeline-gutter" style="left: 0px; width: 0px;"></div><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">IN HTTP(ACCEPT) -source +management</span></pre></div></div></div></div></div></div><div style="position: absolute; height: 0px; width: 1px; border-bottom-width: 0px; border-bottom-style: solid; border-bottom-color: transparent; top: 26px;"></div><div class="CodeMirror-gutters" style="display: none; height: 26px;"></div></div></div></pre><h3 id='standard-ip-set-management-标准-ip-集管理'><span>Standard IP set management 标准 IP 集管理 </span></h3><p><span>This IP set applies only to host firewalls (not VM firewalls). Those IPs are allowed to do normal management tasks (Proxmox VE GUI, VNC, SPICE, SSH).</span>
<span>此 IP 集仅适用于主机防火墙（不适用于 VM 防火墙）。允许这些 IP 执行正常的管理任务（Proxmox VE GUI、VNC、SPICE、SSH）。</span></p><p><span>The local cluster network is automatically added to this IP set (alias cluster_network), to enable inter-host cluster communication. (multicast,ssh,…)</span>
<span>本地集群网络会自动添加到此 IP 集（别名 cluster_network），以启用主机集群间通信。（组播，SSH,...）</span></p><pre class="md-fences md-end-block ty-contain-cm modeLoaded" spellcheck="false" lang=""><div class="CodeMirror cm-s-inner cm-s-null-scroll CodeMirror-wrap" lang=""><div style="overflow: hidden; position: relative; width: 3px; height: 0px; top: 11px; left: 4px;"><textarea autocorrect="off" autocapitalize="off" spellcheck="false" tabindex="0" style="position: absolute; bottom: -1em; padding: 0px; width: 1000px; height: 1em; outline: none;"></textarea></div><div class="CodeMirror-scrollbar-filler" cm-not-content="true"></div><div class="CodeMirror-gutter-filler" cm-not-content="true"></div><div class="CodeMirror-scroll" tabindex="-1"><div class="CodeMirror-sizer" style="margin-left: 0px; margin-bottom: 0px; border-right-width: 0px; padding-right: 0px; padding-bottom: 0px;"><div style="position: relative; top: 0px;"><div class="CodeMirror-lines" role="presentation"><div role="presentation" style="position: relative; outline: none;"><div class="CodeMirror-measure"><pre><span>xxxxxxxxxx</span></pre></div><div class="CodeMirror-measure"></div><div style="position: relative; z-index: 1;"></div><div class="CodeMirror-code" role="presentation" style=""><div class="CodeMirror-activeline" style="position: relative;"><div class="CodeMirror-activeline-background CodeMirror-linebackground"></div><div class="CodeMirror-gutter-background CodeMirror-activeline-gutter" style="left: 0px; width: 0px;"></div><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"># /etc/pve/firewall/cluster.fw</span></pre></div><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span cm-text="" cm-zwsp="">
</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">[IPSET management]</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">192.168.2.10</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">192.168.2.10/24</span></pre></div></div></div></div></div><div style="position: absolute; height: 0px; width: 1px; border-bottom-width: 0px; border-bottom-style: solid; border-bottom-color: transparent; top: 130px;"></div><div class="CodeMirror-gutters" style="display: none; height: 130px;"></div></div></div></pre><h3 id='standard-ip-set-blacklist-标准ip设置黑名单'><span>Standard IP set blacklist 标准IP设置黑名单 </span></h3><p><span>Traffic from these IPs is dropped by every host’s and VM’s firewall.</span>
<span>来自这些 IP 的流量会被每个主机和 VM 的防火墙丢弃。</span></p><pre class="md-fences md-end-block ty-contain-cm modeLoaded" spellcheck="false" lang=""><div class="CodeMirror cm-s-inner cm-s-null-scroll CodeMirror-wrap" lang=""><div style="overflow: hidden; position: relative; width: 3px; height: 0px; top: 11px; left: 4px;"><textarea autocorrect="off" autocapitalize="off" spellcheck="false" tabindex="0" style="position: absolute; bottom: -1em; padding: 0px; width: 1000px; height: 1em; outline: none;"></textarea></div><div class="CodeMirror-scrollbar-filler" cm-not-content="true"></div><div class="CodeMirror-gutter-filler" cm-not-content="true"></div><div class="CodeMirror-scroll" tabindex="-1"><div class="CodeMirror-sizer" style="margin-left: 0px; margin-bottom: 0px; border-right-width: 0px; padding-right: 0px; padding-bottom: 0px;"><div style="position: relative; top: 0px;"><div class="CodeMirror-lines" role="presentation"><div role="presentation" style="position: relative; outline: none;"><div class="CodeMirror-measure"><pre><span>xxxxxxxxxx</span></pre></div><div class="CodeMirror-measure"></div><div style="position: relative; z-index: 1;"></div><div class="CodeMirror-code" role="presentation" style=""><div class="CodeMirror-activeline" style="position: relative;"><div class="CodeMirror-activeline-background CodeMirror-linebackground"></div><div class="CodeMirror-gutter-background CodeMirror-activeline-gutter" style="left: 0px; width: 0px;"></div><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"># /etc/pve/firewall/cluster.fw</span></pre></div><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span cm-text="" cm-zwsp="">
</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">[IPSET blacklist]</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">77.240.159.182</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">213.87.123.0/24</span></pre></div></div></div></div></div><div style="position: absolute; height: 0px; width: 1px; border-bottom-width: 0px; border-bottom-style: solid; border-bottom-color: transparent; top: 130px;"></div><div class="CodeMirror-gutters" style="display: none; height: 130px;"></div></div></div></pre><h3 id='standard-ip-set-ipfilter-net-标准-ip-集-ipfilter-net'><span>Standard IP set ipfilter-net* 标准 IP 集 ipfilter-net* </span></h3><p><span>These filters belong to a VM’s network interface and are mainly used to prevent IP spoofing. If such a set exists for an interface then any outgoing traffic with a source IP not matching its interface’s corresponding ipfilter set will be dropped.</span>
<span>这些筛选器属于 VM 的网络接口，主要用于防止 IP 欺骗。如果接口存在此类集，则源 IP 与其接口的相应 ipfilter 集不匹配的任何传出流量都将被丢弃。</span></p><p><span>For containers with configured IP addresses these sets, if they exist (or are activated via the general IP Filter option in the VM’s firewall’s </span><strong><span>options</span></strong><span> tab), implicitly contain the associated IP addresses.</span>
<span>对于配置了 IP 地址的容器，如果这些集存在（或通过 VM </span><strong><span>防火墙的选项</span></strong><span>选项卡中的常规 IP 筛选器选项激活），则隐式包含关联的 IP 地址。</span></p><p><span>For both virtual machines and containers they also implicitly contain the standard MAC-derived IPv6 link-local address in order to allow the neighbor discovery protocol to work.</span>
<span>对于虚拟机和容器，它们还隐式包含标准的 MAC 派生 IPv6 链路本地地址，以便允许邻居发现协议工作。</span></p><pre class="md-fences md-end-block ty-contain-cm modeLoaded" spellcheck="false" lang=""><div class="CodeMirror cm-s-inner cm-s-null-scroll CodeMirror-wrap" lang=""><div style="overflow: hidden; position: relative; width: 3px; height: 0px; top: 11px; left: 4px;"><textarea autocorrect="off" autocapitalize="off" spellcheck="false" tabindex="0" style="position: absolute; bottom: -1em; padding: 0px; width: 1000px; height: 1em; outline: none;"></textarea></div><div class="CodeMirror-scrollbar-filler" cm-not-content="true"></div><div class="CodeMirror-gutter-filler" cm-not-content="true"></div><div class="CodeMirror-scroll" tabindex="-1"><div class="CodeMirror-sizer" style="margin-left: 0px; margin-bottom: 0px; border-right-width: 0px; padding-right: 0px; padding-bottom: 0px;"><div style="position: relative; top: 0px;"><div class="CodeMirror-lines" role="presentation"><div role="presentation" style="position: relative; outline: none;"><div class="CodeMirror-measure"><pre><span>xxxxxxxxxx</span></pre></div><div class="CodeMirror-measure"></div><div style="position: relative; z-index: 1;"></div><div class="CodeMirror-code" role="presentation"><div class="CodeMirror-activeline" style="position: relative;"><div class="CodeMirror-activeline-background CodeMirror-linebackground"></div><div class="CodeMirror-gutter-background CodeMirror-activeline-gutter" style="left: 0px; width: 0px;"></div><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">/etc/pve/firewall/&lt;VMID&gt;.fw</span></pre></div><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span cm-text="" cm-zwsp="">
</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">[IPSET ipfilter-net0] # only allow specified IPs on net0</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">192.168.2.10</span></pre></div></div></div></div></div><div style="position: absolute; height: 0px; width: 1px; border-bottom-width: 0px; border-bottom-style: solid; border-bottom-color: transparent; top: 104px;"></div><div class="CodeMirror-gutters" style="display: none; height: 104px;"></div></div></div></pre><h2 id='services-and-commands-服务和命令'><span>Services and Commands 服务和命令</span></h2><p><span>The firewall runs two service daemons on each node:</span>
<span>防火墙在每个节点上运行两个服务守护程序：</span></p><ul><li><p><span>pvefw-logger: NFLOG daemon (ulogd replacement).</span>
<span>pvefw-logger：NFLOG 守护进程（ulogd 替换）。</span></p></li><li><p><span>pve-firewall: updates iptables rules</span>
<span>PVE-Firewall：更新 iptables 规则</span></p></li></ul><p><span>There is also a CLI command named pve-firewall, which can be used to start and stop the firewall service:</span>
<span>还有一个名为 pve-firewall 的 CLI 命令，可用于启动和停止防火墙服务：</span></p><pre class="md-fences md-end-block ty-contain-cm modeLoaded" spellcheck="false" lang=""><div class="CodeMirror cm-s-inner cm-s-null-scroll CodeMirror-wrap" lang=""><div style="overflow: hidden; position: relative; width: 3px; height: 0px; top: 11px; left: 4px;"><textarea autocorrect="off" autocapitalize="off" spellcheck="false" tabindex="0" style="position: absolute; bottom: -1em; padding: 0px; width: 1000px; height: 1em; outline: none;"></textarea></div><div class="CodeMirror-scrollbar-filler" cm-not-content="true"></div><div class="CodeMirror-gutter-filler" cm-not-content="true"></div><div class="CodeMirror-scroll" tabindex="-1"><div class="CodeMirror-sizer" style="margin-left: 0px; margin-bottom: 0px; border-right-width: 0px; padding-right: 0px; padding-bottom: 0px;"><div style="position: relative; top: 0px;"><div class="CodeMirror-lines" role="presentation"><div role="presentation" style="position: relative; outline: none;"><div class="CodeMirror-measure"><pre><span>xxxxxxxxxx</span></pre></div><div class="CodeMirror-measure"></div><div style="position: relative; z-index: 1;"></div><div class="CodeMirror-code" role="presentation"><div class="CodeMirror-activeline" style="position: relative;"><div class="CodeMirror-activeline-background CodeMirror-linebackground"></div><div class="CodeMirror-gutter-background CodeMirror-activeline-gutter" style="left: 0px; width: 0px;"></div><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"># pve-firewall start</span></pre></div><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"># pve-firewall stop</span></pre></div></div></div></div></div><div style="position: absolute; height: 0px; width: 1px; border-bottom-width: 0px; border-bottom-style: solid; border-bottom-color: transparent; top: 52px;"></div><div class="CodeMirror-gutters" style="display: none; height: 52px;"></div></div></div></pre><p><span>To get the status use:</span>
<span>要获取状态，请使用：</span></p><pre class="md-fences md-end-block ty-contain-cm modeLoaded" spellcheck="false" lang=""><div class="CodeMirror cm-s-inner cm-s-null-scroll CodeMirror-wrap" lang=""><div style="overflow: hidden; position: relative; width: 3px; height: 0px; top: 11px; left: 4px;"><textarea autocorrect="off" autocapitalize="off" spellcheck="false" tabindex="0" style="position: absolute; bottom: -1em; padding: 0px; width: 1000px; height: 1em; outline: none;"></textarea></div><div class="CodeMirror-scrollbar-filler" cm-not-content="true"></div><div class="CodeMirror-gutter-filler" cm-not-content="true"></div><div class="CodeMirror-scroll" tabindex="-1"><div class="CodeMirror-sizer" style="margin-left: 0px; margin-bottom: 0px; border-right-width: 0px; padding-right: 0px; padding-bottom: 0px;"><div style="position: relative; top: 0px;"><div class="CodeMirror-lines" role="presentation"><div role="presentation" style="position: relative; outline: none;"><div class="CodeMirror-measure"><pre><span>xxxxxxxxxx</span></pre></div><div class="CodeMirror-measure"></div><div style="position: relative; z-index: 1;"></div><div class="CodeMirror-code" role="presentation"><div class="CodeMirror-activeline" style="position: relative;"><div class="CodeMirror-activeline-background CodeMirror-linebackground"></div><div class="CodeMirror-gutter-background CodeMirror-activeline-gutter" style="left: 0px; width: 0px;"></div><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"># pve-firewall status</span></pre></div></div></div></div></div></div><div style="position: absolute; height: 0px; width: 1px; border-bottom-width: 0px; border-bottom-style: solid; border-bottom-color: transparent; top: 26px;"></div><div class="CodeMirror-gutters" style="display: none; height: 26px;"></div></div></div></pre><p><span>The above command reads and compiles all firewall rules, so you will see warnings if your firewall configuration contains any errors.</span>
<span>上述命令读取并编译所有防火墙规则，因此，如果您的防火墙配置包含任何错误，您将看到警告。</span></p><p><span>If you want to see the generated iptables rules you can use:</span>
<span>如果你想查看生成的 iptables 规则，你可以使用：</span></p><pre class="md-fences md-end-block ty-contain-cm modeLoaded" spellcheck="false" lang=""><div class="CodeMirror cm-s-inner cm-s-null-scroll CodeMirror-wrap" lang=""><div style="overflow: hidden; position: relative; width: 3px; height: 0px; top: 11px; left: 4px;"><textarea autocorrect="off" autocapitalize="off" spellcheck="false" tabindex="0" style="position: absolute; bottom: -1em; padding: 0px; width: 1000px; height: 1em; outline: none;"></textarea></div><div class="CodeMirror-scrollbar-filler" cm-not-content="true"></div><div class="CodeMirror-gutter-filler" cm-not-content="true"></div><div class="CodeMirror-scroll" tabindex="-1"><div class="CodeMirror-sizer" style="margin-left: 0px; margin-bottom: 0px; border-right-width: 0px; padding-right: 0px; padding-bottom: 0px;"><div style="position: relative; top: 0px;"><div class="CodeMirror-lines" role="presentation"><div role="presentation" style="position: relative; outline: none;"><div class="CodeMirror-measure"><pre><span>xxxxxxxxxx</span></pre></div><div class="CodeMirror-measure"></div><div style="position: relative; z-index: 1;"></div><div class="CodeMirror-code" role="presentation"><div class="CodeMirror-activeline" style="position: relative;"><div class="CodeMirror-activeline-background CodeMirror-linebackground"></div><div class="CodeMirror-gutter-background CodeMirror-activeline-gutter" style="left: 0px; width: 0px;"></div><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"># iptables-save</span></pre></div></div></div></div></div></div><div style="position: absolute; height: 0px; width: 1px; border-bottom-width: 0px; border-bottom-style: solid; border-bottom-color: transparent; top: 26px;"></div><div class="CodeMirror-gutters" style="display: none; height: 26px;"></div></div></div></pre><h2 id='default-firewall-rules-默认防火墙规则'><span>Default firewall rules 默认防火墙规则</span></h2><p><span>The following traffic is filtered by the default firewall configuration:</span>
<span>以量按默认防火墙配置进行筛选：</span></p><h3 id='datacenter-incomingoutgoing-dropreject-数据中心传入传出-dropreject'><span>Datacenter incoming/outgoing DROP/REJECT 数据中心传入/传出 DROP/REJECT </span></h3><p><span>If the input or output policy for the firewall is set to DROP or REJECT, the following traffic is still allowed for all Proxmox VE hosts in the cluster:</span>
<span>如果防火墙的输入或输出策略设置为 DROP 或 REJECT，则集群中的所有 Proxmox VE 主机仍允许以量：</span></p><ul><li><p><span>traffic over the loopback interface</span>
<span>通过环回接口的流量</span></p></li><li><p><span>already established connections</span>
<span>已经建立的连接</span></p></li><li><p><span>traffic using the IGMP protocol</span>
<span>使用 IGMP 协议的流量</span></p></li><li><p><span>TCP traffic from management hosts to port 8006 in order to allow access to the web interface</span>
<span>从管理主机到端口 8006 的 TCP 流量，以允许访问 Web 界面</span></p></li><li><p><span>TCP traffic from management hosts to the port range 5900 to 5999 allowing traffic for the VNC web console</span>
<span>从管理主机到端口范围 5900 到 5999 的 TCP 流量，允许 VNC Web 控制台的流量</span></p></li><li><p><span>TCP traffic from management hosts to port 3128 for connections to the SPICE proxy</span>
<span>从管理主机到端口 3128 的 TCP 流量，用于连接到 SPICE 代理</span></p></li><li><p><span>TCP traffic from management hosts to port 22 to allow ssh access</span>
<span>从管理主机到端口 22 的 TCP 流量，以允许 ssh 访问</span></p></li><li><p><span>UDP traffic in the cluster network to ports 5405-5412 for corosync</span>
<span>集群网络中到端口 5405-5412 的 UDP 流量以进行 corosync</span></p></li><li><p><span>UDP multicast traffic in the cluster network</span>
<span>集群网络中的 UDP 组播流量</span></p></li><li><p><span>ICMP traffic type 3 (Destination Unreachable), 4 (congestion control) or 11 (Time Exceeded)</span>
<span>ICMP 流量类型 3（目标无法到达）、4（拥塞控制）或 11（超出时间）</span></p></li></ul><p><span>The following traffic is dropped, but not logged even with logging enabled:</span>
<span>以量将被丢弃，但即使启用了日志记录，也不会记录：</span></p><ul><li><p><span>TCP connections with invalid connection state</span>
<span>连接状态无效的 TCP 连接</span></p></li><li><p><span>Broadcast, multicast and anycast traffic not related to corosync, i.e., not coming through ports 5405-5412</span>
<span>与 corosync 无关的广播、组播和任播流量，即不通过端口 5405-5412</span></p></li><li><p><span>TCP traffic to port 43</span>
<span>到端口 43 的 TCP 流量</span></p></li><li><p><span>UDP traffic to ports 135 and 445</span>
<span>到端口 135 和 445 的 UDP 流量</span></p></li><li><p><span>UDP traffic to the port range 137 to 139</span>
<span>到端口范围 137 到 139 的 UDP 流量</span></p></li><li><p><span>UDP traffic form source port 137 to port range 1024 to 65535</span>
<span>从源端口 137 到端口范围 1024 到 65535 的 UDP 流量</span></p></li><li><p><span>UDP traffic to port 1900</span>
<span>到端口 1900 的 UDP 流量</span></p></li><li><p><span>TCP traffic to port 135, 139 and 445</span>
<span>到端口 135、139 和 445 的 TCP 流量</span></p></li><li><p><span>UDP traffic originating from source port 53</span>
<span>源自源端口 53 的 UDP 流量</span></p></li></ul><p><span>The rest of the traffic is dropped or rejected, respectively, and also logged. This may vary depending on the additional options enabled in </span><strong><span>Firewall</span></strong><span> → </span><strong><span>Options</span></strong><span>, such as NDP, SMURFS and TCP flag filtering.</span>
<span>其余的流量将分别被丢弃或拒绝，并且还会被记录下来。这可能因</span><strong><span>防火墙</span></strong><span>→</span><strong><span>选项</span></strong><span>中启用的其他选项而异，例如 NDP、SMURFS 和 TCP 标志过滤。</span></p><p><span>Please inspect the output of the</span>
<span>请检查 的输出</span></p><pre class="md-fences md-end-block ty-contain-cm modeLoaded" spellcheck="false" lang=""><div class="CodeMirror cm-s-inner cm-s-null-scroll CodeMirror-wrap" lang=""><div style="overflow: hidden; position: relative; width: 3px; height: 0px; top: 11px; left: 4px;"><textarea autocorrect="off" autocapitalize="off" spellcheck="false" tabindex="0" style="position: absolute; bottom: -1em; padding: 0px; width: 1000px; height: 1em; outline: none;"></textarea></div><div class="CodeMirror-scrollbar-filler" cm-not-content="true"></div><div class="CodeMirror-gutter-filler" cm-not-content="true"></div><div class="CodeMirror-scroll" tabindex="-1"><div class="CodeMirror-sizer" style="margin-left: 0px; margin-bottom: 0px; border-right-width: 0px; padding-right: 0px; padding-bottom: 0px;"><div style="position: relative; top: 0px;"><div class="CodeMirror-lines" role="presentation"><div role="presentation" style="position: relative; outline: none;"><div class="CodeMirror-measure"><pre><span>xxxxxxxxxx</span></pre></div><div class="CodeMirror-measure"></div><div style="position: relative; z-index: 1;"></div><div class="CodeMirror-code" role="presentation"><div class="CodeMirror-activeline" style="position: relative;"><div class="CodeMirror-activeline-background CodeMirror-linebackground"></div><div class="CodeMirror-gutter-background CodeMirror-activeline-gutter" style="left: 0px; width: 0px;"></div><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"> # iptables-save</span></pre></div></div></div></div></div></div><div style="position: absolute; height: 0px; width: 1px; border-bottom-width: 0px; border-bottom-style: solid; border-bottom-color: transparent; top: 26px;"></div><div class="CodeMirror-gutters" style="display: none; height: 26px;"></div></div></div></pre><p><span>system command to see the firewall chains and rules active on your system. This output is also included in a System Report, accessible over a node’s subscription tab in the web GUI, or through the pvereport command-line tool.</span>
<span>system 命令查看系统上活动的防火墙链和规则。此输出也包含在系统报告中，可通过 Web GUI 中节点的订阅选项卡或通过 pvereport 命令行工具访问。</span></p><h3 id='vmct-incomingoutgoing-dropreject-vmct-传入传出-dropreject'><span>VM/CT incoming/outgoing DROP/REJECT VM/CT 传入/传出 DROP/REJECT </span></h3><p><span>This drops or rejects all the traffic to the VMs, with some exceptions for DHCP, NDP, Router Advertisement, MAC and IP filtering depending on the set configuration. The same rules for dropping/rejecting packets are inherited from the datacenter, while the exceptions for accepted incoming/outgoing traffic of the host do not apply.</span>
<span>这将丢弃或拒绝流向 VM 的所有流量，但 DHCP、NDP、路由器通告、MAC 和 IP 过滤有一些例外，具体取决于设置的配置。丢弃/拒绝数据包的相同规则是从数据中心继承的，而接受主机的传入/传出流量的例外情况则不适用。</span></p><p><span>Again, you can use </span><a href='https://pve.proxmox.com/pve-docs/pve-firewall.8.html#pve_firewall_iptables_inspect'><span>iptables-save (see above)</span></a><span> to inspect all rules and chains applied.</span>
<span>同样，您可以使用 </span><a href='https://pve.proxmox.com/pve-docs/pve-firewall.8.html#pve_firewall_iptables_inspect'><span>iptables-save（见上文）</span></a><span>来检查应用的所有规则和链。</span></p><h2 id='logging-of-firewall-rules-记录防火墙规则'><span>Logging of firewall rules 记录防火墙规则</span></h2><p><span>By default, all logging of traffic filtered by the firewall rules is disabled. To enable logging, the loglevel for incoming and/or outgoing traffic has to be set in </span><strong><span>Firewall</span></strong><span> → </span><strong><span>Options</span></strong><span>. This can be done for the host as well as for the VM/CT firewall individually. By this, logging of Proxmox VE’s standard firewall rules is enabled and the output can be observed in </span><strong><span>Firewall</span></strong><span> → </span><strong><span>Log</span></strong><span>. Further, only some dropped or rejected packets are logged for the standard rules (see </span><a href='https://pve.proxmox.com/pve-docs/pve-firewall.8.html#pve_firewall_default_rules'><span>default firewall rules</span></a><span>).</span>
<span>默认情况下，防火墙规则过滤的所有流量日志记录都处于禁用状态。要启用日志记录，必须在</span><strong><span>防火墙</span></strong><span>→</span><strong><span>选项</span></strong><span>中设置传入和/或传出流量的日志级别。这既可以针对主机完成，也可以针对 VM/CT 防火墙单独完成。通过这种方式，可以启用Proxmox VE的标准防火墙规则的日志记录，并且可以在</span><strong><span>防火墙*</span></strong><span>*→日志**中观察输出。此外，对于标准规则，仅记录一些丢弃或拒绝的数据包（请参阅</span><a href='https://pve.proxmox.com/pve-docs/pve-firewall.8.html#pve_firewall_default_rules'><span>默认防火墙规则</span></a><span>）。</span></p><p><span>loglevel does not affect how much of the filtered traffic is logged. It changes a LOGID appended as prefix to the log output for easier filtering and post-processing.</span>
<span>LogLevel 不会影响记录的过滤流量。它更改作为前缀附加到日志输出的 LOGID，以便于过滤和后处理。</span></p><p><span>loglevel is one of the following flags:</span>
<span>LogLevel 是以下标志之一：</span></p><figure class='table-figure'><table><thead><tr><th style='text-align:left;' ><span>loglevel 日志级别</span></th><th style='text-align:left;' ><span>LOGID</span></th></tr></thead><tbody><tr><td style='text-align:left;' ><span>nolog 诺洛格</span></td><td style='text-align:left;' ><span> — </span></td></tr><tr><td style='text-align:left;' ><span>emerg 新兴</span></td><td style='text-align:left;' ><span>0</span></td></tr><tr><td style='text-align:left;' ><span>alert 警报</span></td><td style='text-align:left;' ><span>1</span></td></tr><tr><td style='text-align:left;' ><span>crit 暴击</span></td><td style='text-align:left;' ><span>2</span></td></tr><tr><td style='text-align:left;' ><span>err 犯 错</span></td><td style='text-align:left;' ><span>3</span></td></tr><tr><td style='text-align:left;' ><span>warning 警告</span></td><td style='text-align:left;' ><span>4</span></td></tr><tr><td style='text-align:left;' ><span>notice 通知</span></td><td style='text-align:left;' ><span>5</span></td></tr><tr><td style='text-align:left;' ><span>info 信息</span></td><td style='text-align:left;' ><span>6</span></td></tr><tr><td style='text-align:left;' ><span>debug 调试</span></td><td style='text-align:left;' ><span>7</span></td></tr></tbody></table></figure><p><span>A typical firewall log output looks like this:</span>
<span>典型的防火墙日志输出如下所示：</span></p><pre class="md-fences md-end-block ty-contain-cm modeLoaded" spellcheck="false" lang=""><div class="CodeMirror cm-s-inner cm-s-null-scroll CodeMirror-wrap" lang=""><div style="overflow: hidden; position: relative; width: 3px; height: 0px; top: 11px; left: 4px;"><textarea autocorrect="off" autocapitalize="off" spellcheck="false" tabindex="0" style="position: absolute; bottom: -1em; padding: 0px; width: 1000px; height: 1em; outline: none;"></textarea></div><div class="CodeMirror-scrollbar-filler" cm-not-content="true"></div><div class="CodeMirror-gutter-filler" cm-not-content="true"></div><div class="CodeMirror-scroll" tabindex="-1"><div class="CodeMirror-sizer" style="margin-left: 0px; margin-bottom: 0px; border-right-width: 0px; padding-right: 0px; padding-bottom: 0px;"><div style="position: relative; top: 0px;"><div class="CodeMirror-lines" role="presentation"><div role="presentation" style="position: relative; outline: none;"><div class="CodeMirror-measure"><pre><span>xxxxxxxxxx</span></pre></div><div class="CodeMirror-measure"></div><div style="position: relative; z-index: 1;"></div><div class="CodeMirror-code" role="presentation"><div class="CodeMirror-activeline" style="position: relative;"><div class="CodeMirror-activeline-background CodeMirror-linebackground"></div><div class="CodeMirror-gutter-background CodeMirror-activeline-gutter" style="left: 0px; width: 0px;"></div><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">VMID LOGID CHAIN TIMESTAMP POLICY: PACKET_DETAILS</span></pre></div></div></div></div></div></div><div style="position: absolute; height: 0px; width: 1px; border-bottom-width: 0px; border-bottom-style: solid; border-bottom-color: transparent; top: 26px;"></div><div class="CodeMirror-gutters" style="display: none; height: 26px;"></div></div></div></pre><p><span>In case of the host firewall, VMID is equal to 0.</span>
<span>对于主机防火墙，VMID 等于 0。</span></p><h3 id='logging-of-user-defined-firewall-rules-记录用户定义的防火墙规则'><span>Logging of user defined firewall rules 记录用户定义的防火墙规则 </span></h3><p><span>In order to log packets filtered by user-defined firewall rules, it is possible to set a log-level parameter for each rule individually. This allows to log in a fine grained manner and independent of the log-level defined for the standard rules in </span><strong><span>Firewall</span></strong><span> → </span><strong><span>Options</span></strong><span>.</span>
<span>为了记录由用户定义的防火墙规则过滤的数据包，可以为每个规则单独设置日志级别参数。这允许以细粒度的方式登录，并且独立于</span><strong><span>为防火墙</span></strong><span>→</span><strong><span>选项</span></strong><span>中的标准规则定义的日志级别。</span></p><p><span>While the loglevel for each individual rule can be defined or changed easily in the web UI during creation or modification of the rule, it is possible to set this also via the corresponding pvesh API calls.</span>
<span>虽然在创建或修改规则期间，可以在 Web UI 中轻松定义或更改每个单独规则的日志级别，但也可以通过相应的 pvesh API 调用来设置此级别。</span></p><p><span>Further, the log-level can also be set via the firewall configuration file by appending a -log </span><loglevel><span> to the selected rule (see </span><a href='https://pve.proxmox.com/pve-docs/pve-firewall.8.html#pve_firewall_log_levels'><span>possible log-levels</span></a><span>).</span>
<span>此外，还可以通过防火墙配置文件通过将 -log </span><loglevel><span> 附加到所选规则来设置日志级别（请参阅</span><a href='https://pve.proxmox.com/pve-docs/pve-firewall.8.html#pve_firewall_log_levels'><span>可能的日志级别</span></a><span>）。</span></p><p><span>For example, the following two are identical:</span>
<span>例如，以下两个是相同的：</span></p><pre class="md-fences md-end-block ty-contain-cm modeLoaded" spellcheck="false" lang=""><div class="CodeMirror cm-s-inner cm-s-null-scroll CodeMirror-wrap" lang=""><div style="overflow: hidden; position: relative; width: 3px; height: 0px; top: 11px; left: 4px;"><textarea autocorrect="off" autocapitalize="off" spellcheck="false" tabindex="0" style="position: absolute; bottom: -1em; padding: 0px; width: 1000px; height: 1em; outline: none;"></textarea></div><div class="CodeMirror-scrollbar-filler" cm-not-content="true"></div><div class="CodeMirror-gutter-filler" cm-not-content="true"></div><div class="CodeMirror-scroll" tabindex="-1"><div class="CodeMirror-sizer" style="margin-left: 0px; margin-bottom: 0px; border-right-width: 0px; padding-right: 0px; padding-bottom: 0px;"><div style="position: relative; top: 0px;"><div class="CodeMirror-lines" role="presentation"><div role="presentation" style="position: relative; outline: none;"><div class="CodeMirror-measure"><pre><span>xxxxxxxxxx</span></pre></div><div class="CodeMirror-measure"></div><div style="position: relative; z-index: 1;"></div><div class="CodeMirror-code" role="presentation"><div class="CodeMirror-activeline" style="position: relative;"><div class="CodeMirror-activeline-background CodeMirror-linebackground"></div><div class="CodeMirror-gutter-background CodeMirror-activeline-gutter" style="left: 0px; width: 0px;"></div><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">IN REJECT -p icmp -log nolog</span></pre></div><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">IN REJECT -p icmp</span></pre></div></div></div></div></div><div style="position: absolute; height: 0px; width: 1px; border-bottom-width: 0px; border-bottom-style: solid; border-bottom-color: transparent; top: 52px;"></div><div class="CodeMirror-gutters" style="display: none; height: 52px;"></div></div></div></pre><p><span>whereas 而</span></p><pre class="md-fences md-end-block ty-contain-cm modeLoaded" spellcheck="false" lang=""><div class="CodeMirror cm-s-inner cm-s-null-scroll CodeMirror-wrap" lang=""><div style="overflow: hidden; position: relative; width: 3px; height: 0px; top: 11px; left: 4px;"><textarea autocorrect="off" autocapitalize="off" spellcheck="false" tabindex="0" style="position: absolute; bottom: -1em; padding: 0px; width: 1000px; height: 1em; outline: none;"></textarea></div><div class="CodeMirror-scrollbar-filler" cm-not-content="true"></div><div class="CodeMirror-gutter-filler" cm-not-content="true"></div><div class="CodeMirror-scroll" tabindex="-1"><div class="CodeMirror-sizer" style="margin-left: 0px; margin-bottom: 0px; border-right-width: 0px; padding-right: 0px; padding-bottom: 0px;"><div style="position: relative; top: 0px;"><div class="CodeMirror-lines" role="presentation"><div role="presentation" style="position: relative; outline: none;"><div class="CodeMirror-measure"><pre><span>xxxxxxxxxx</span></pre></div><div class="CodeMirror-measure"></div><div style="position: relative; z-index: 1;"></div><div class="CodeMirror-code" role="presentation"><div class="CodeMirror-activeline" style="position: relative;"><div class="CodeMirror-activeline-background CodeMirror-linebackground"></div><div class="CodeMirror-gutter-background CodeMirror-activeline-gutter" style="left: 0px; width: 0px;"></div><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">IN REJECT -p icmp -log debug</span></pre></div></div></div></div></div></div><div style="position: absolute; height: 0px; width: 1px; border-bottom-width: 0px; border-bottom-style: solid; border-bottom-color: transparent; top: 26px;"></div><div class="CodeMirror-gutters" style="display: none; height: 26px;"></div></div></div></pre><p><span>produces a log output flagged with the debug level.</span>
<span>生成带有调试级别标记的日志输出。</span></p><h2 id='tips-and-tricks-技巧和窍门'><span>Tips and Tricks 技巧和窍门</span></h2><h3 id='how-to-allow-ftp-如何允许-ftp'><span>How to allow FTP 如何允许 FTP </span></h3><p><span>FTP is an old style protocol which uses port 21 and several other dynamic ports. So you need a rule to accept port 21. In addition, you need to load the ip_conntrack_ftp module. So please run:</span>
<span>FTP 是一种旧式协议，它使用端口 21 和其他几个动态端口。因此，您需要一个规则来接受端口 21。此外，您需要加载 ip_conntrack_ftp 模块。所以请运行：</span></p><pre class="md-fences md-end-block ty-contain-cm modeLoaded" spellcheck="false" lang=""><div class="CodeMirror cm-s-inner cm-s-null-scroll CodeMirror-wrap" lang=""><div style="overflow: hidden; position: relative; width: 3px; height: 0px; top: 11px; left: 4px;"><textarea autocorrect="off" autocapitalize="off" spellcheck="false" tabindex="0" style="position: absolute; bottom: -1em; padding: 0px; width: 1000px; height: 1em; outline: none;"></textarea></div><div class="CodeMirror-scrollbar-filler" cm-not-content="true"></div><div class="CodeMirror-gutter-filler" cm-not-content="true"></div><div class="CodeMirror-scroll" tabindex="-1"><div class="CodeMirror-sizer" style="margin-left: 0px; margin-bottom: 0px; border-right-width: 0px; padding-right: 0px; padding-bottom: 0px;"><div style="position: relative; top: 0px;"><div class="CodeMirror-lines" role="presentation"><div role="presentation" style="position: relative; outline: none;"><div class="CodeMirror-measure"><pre><span>xxxxxxxxxx</span></pre></div><div class="CodeMirror-measure"></div><div style="position: relative; z-index: 1;"></div><div class="CodeMirror-code" role="presentation"><div class="CodeMirror-activeline" style="position: relative;"><div class="CodeMirror-activeline-background CodeMirror-linebackground"></div><div class="CodeMirror-gutter-background CodeMirror-activeline-gutter" style="left: 0px; width: 0px;"></div><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">modprobe ip_conntrack_ftp</span></pre></div></div></div></div></div></div><div style="position: absolute; height: 0px; width: 1px; border-bottom-width: 0px; border-bottom-style: solid; border-bottom-color: transparent; top: 26px;"></div><div class="CodeMirror-gutters" style="display: none; height: 26px;"></div></div></div></pre><p><span>and add ip_conntrack_ftp to /etc/modules (so that it works after a reboot).</span>
<span>并将ip_conntrack_ftp添加到 /etc/modules（以便它在重新启动后工作）。</span></p><h3 id='suricata-ips-integration-suricata-ips-集成'><span>Suricata IPS integration Suricata IPS 集成 </span></h3><p><span>If you want to use the </span><a href='https://suricata.io/'><span>Suricata IPS</span></a><span> (Intrusion Prevention System), it’s possible.</span>
<span>如果您想使用 </span><a href='https://suricata.io/'><span>Suricata IPS</span></a><span>（入侵防御系统），这是可能的。</span></p><p><span>Packets will be forwarded to the IPS only after the firewall ACCEPTed them.</span>
<span>只有在防火墙接受数据包后，数据包才会被转发到 IPS。</span></p><p><span>Rejected/Dropped firewall packets don’t go to the IPS.</span>
<span>被拒绝/丢弃的防火墙数据包不会进入 IPS。</span></p><p><span>Install suricata on proxmox host:</span>
<span>在 proxmox 主机上安装 suricata：</span></p><pre class="md-fences md-end-block ty-contain-cm modeLoaded" spellcheck="false" lang=""><div class="CodeMirror cm-s-inner cm-s-null-scroll CodeMirror-wrap" lang=""><div style="overflow: hidden; position: relative; width: 3px; height: 0px; top: 11px; left: 4px;"><textarea autocorrect="off" autocapitalize="off" spellcheck="false" tabindex="0" style="position: absolute; bottom: -1em; padding: 0px; width: 1000px; height: 1em; outline: none;"></textarea></div><div class="CodeMirror-scrollbar-filler" cm-not-content="true"></div><div class="CodeMirror-gutter-filler" cm-not-content="true"></div><div class="CodeMirror-scroll" tabindex="-1"><div class="CodeMirror-sizer" style="margin-left: 0px; margin-bottom: 0px; border-right-width: 0px; padding-right: 0px; padding-bottom: 0px;"><div style="position: relative; top: 0px;"><div class="CodeMirror-lines" role="presentation"><div role="presentation" style="position: relative; outline: none;"><div class="CodeMirror-measure"><pre><span>xxxxxxxxxx</span></pre></div><div class="CodeMirror-measure"></div><div style="position: relative; z-index: 1;"></div><div class="CodeMirror-code" role="presentation"><div class="CodeMirror-activeline" style="position: relative;"><div class="CodeMirror-activeline-background CodeMirror-linebackground"></div><div class="CodeMirror-gutter-background CodeMirror-activeline-gutter" style="left: 0px; width: 0px;"></div><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"># apt-get install suricata</span></pre></div><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"># modprobe nfnetlink_queue</span></pre></div></div></div></div></div><div style="position: absolute; height: 0px; width: 1px; border-bottom-width: 0px; border-bottom-style: solid; border-bottom-color: transparent; top: 52px;"></div><div class="CodeMirror-gutters" style="display: none; height: 52px;"></div></div></div></pre><p><span>Don’t forget to add nfnetlink_queue to /etc/modules for next reboot.</span>
<span>不要忘记将nfnetlink_queue添加到 /etc/modules 以备下次重启。</span></p><p><span>Then, enable IPS for a specific VM with:</span>
<span>然后，使用以下命令为特定 VM 启用 IPS：</span></p><pre class="md-fences md-end-block ty-contain-cm modeLoaded" spellcheck="false" lang=""><div class="CodeMirror cm-s-inner cm-s-null-scroll CodeMirror-wrap" lang=""><div style="overflow: hidden; position: relative; width: 3px; height: 0px; top: 11px; left: 4px;"><textarea autocorrect="off" autocapitalize="off" spellcheck="false" tabindex="0" style="position: absolute; bottom: -1em; padding: 0px; width: 1000px; height: 1em; outline: none;"></textarea></div><div class="CodeMirror-scrollbar-filler" cm-not-content="true"></div><div class="CodeMirror-gutter-filler" cm-not-content="true"></div><div class="CodeMirror-scroll" tabindex="-1"><div class="CodeMirror-sizer" style="margin-left: 0px; margin-bottom: 0px; border-right-width: 0px; padding-right: 0px; padding-bottom: 0px;"><div style="position: relative; top: 0px;"><div class="CodeMirror-lines" role="presentation"><div role="presentation" style="position: relative; outline: none;"><div class="CodeMirror-measure"><pre><span>xxxxxxxxxx</span></pre></div><div class="CodeMirror-measure"></div><div style="position: relative; z-index: 1;"></div><div class="CodeMirror-code" role="presentation" style=""><div class="CodeMirror-activeline" style="position: relative;"><div class="CodeMirror-activeline-background CodeMirror-linebackground"></div><div class="CodeMirror-gutter-background CodeMirror-activeline-gutter" style="left: 0px; width: 0px;"></div><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"># /etc/pve/firewall/&lt;VMID&gt;.fw</span></pre></div><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span cm-text="" cm-zwsp="">
</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">[OPTIONS]</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">ips: 1</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">ips_queues: 0</span></pre></div></div></div></div></div><div style="position: absolute; height: 0px; width: 1px; border-bottom-width: 0px; border-bottom-style: solid; border-bottom-color: transparent; top: 130px;"></div><div class="CodeMirror-gutters" style="display: none; height: 130px;"></div></div></div></pre><p><span>ips_queues will bind a specific cpu queue for this VM.</span>
<span>ips_queues将为此 VM 绑定特定的 CPU 队列。</span></p><p><span>Available queues are defined in</span>
<span>可用队列定义在</span></p><pre class="md-fences md-end-block ty-contain-cm modeLoaded" spellcheck="false" lang=""><div class="CodeMirror cm-s-inner cm-s-null-scroll CodeMirror-wrap" lang=""><div style="overflow: hidden; position: relative; width: 3px; height: 0px; top: 11px; left: 4px;"><textarea autocorrect="off" autocapitalize="off" spellcheck="false" tabindex="0" style="position: absolute; bottom: -1em; padding: 0px; width: 1000px; height: 1em; outline: none;"></textarea></div><div class="CodeMirror-scrollbar-filler" cm-not-content="true"></div><div class="CodeMirror-gutter-filler" cm-not-content="true"></div><div class="CodeMirror-scroll" tabindex="-1"><div class="CodeMirror-sizer" style="margin-left: 0px; margin-bottom: 0px; border-right-width: 0px; padding-right: 0px; padding-bottom: 0px;"><div style="position: relative; top: 0px;"><div class="CodeMirror-lines" role="presentation"><div role="presentation" style="position: relative; outline: none;"><div class="CodeMirror-measure"><pre><span>xxxxxxxxxx</span></pre></div><div class="CodeMirror-measure"></div><div style="position: relative; z-index: 1;"></div><div class="CodeMirror-code" role="presentation"><div class="CodeMirror-activeline" style="position: relative;"><div class="CodeMirror-activeline-background CodeMirror-linebackground"></div><div class="CodeMirror-gutter-background CodeMirror-activeline-gutter" style="left: 0px; width: 0px;"></div><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"># /etc/default/suricata</span></pre></div><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">NFQUEUE=0</span></pre></div></div></div></div></div><div style="position: absolute; height: 0px; width: 1px; border-bottom-width: 0px; border-bottom-style: solid; border-bottom-color: transparent; top: 52px;"></div><div class="CodeMirror-gutters" style="display: none; height: 52px;"></div></div></div></pre><h2 id='notes-on-ipv6-ipv6注意事项'><span>Notes on IPv6 IPv6注意事项</span></h2><p><span>The firewall contains a few IPv6 specific options. One thing to note is that IPv6 does not use the ARP protocol anymore, and instead uses NDP (Neighbor Discovery Protocol) which works on IP level and thus needs IP addresses to succeed. For this purpose link-local addresses derived from the interface’s MAC address are used. By default the NDP option is enabled on both host and VM level to allow neighbor discovery (NDP) packets to be sent and received.</span>
<span>防火墙包含一些特定于 IPv6 的选项。需要注意的一点是，IPv6 不再使用 ARP 协议，而是使用 NDP（邻居发现协议），该协议在 IP 级别工作，因此需要 IP 地址才能成功。为此，将使用从接口的 MAC 地址派生的链路本地地址。默认情况下，在主机和 VM 级别都启用了 NDP 选项，以允许发送和接收邻居发现 （NDP） 数据包。</span></p><p><span>Beside neighbor discovery NDP is also used for a couple of other things, like auto-configuration and advertising routers.</span>
<span>除了邻居发现之外，NDP 还用于其他一些事情，例如自动配置和广告路由器。</span></p><p><span>By default VMs are allowed to send out router solicitation messages (to query for a router), and to receive router advertisement packets. This allows them to use stateless auto configuration. On the other hand VMs cannot advertise themselves as routers unless the “Allow Router Advertisement” (radv: 1) option is set.</span>
<span>默认情况下，允许 VM 发送路由器请求消息（查询路由器）并接收路由器播发数据包。这允许他们使用无状态自动配置。另一方面，除非设置了“允许路由器通告”（radv： 1） 选项，否则 VM 无法将自己通告为路由器。</span></p><p><span>As for the link local addresses required for NDP, there’s also an “IP Filter” (ipfilter: 1) option which can be enabled which has the same effect as adding an ipfilter-net* ipset for each of the VM’s network interfaces containing the corresponding link local addresses. (See the </span><a href='https://pve.proxmox.com/pve-docs/pve-firewall.8.html#pve_firewall_ipfilter_section'><span>Standard IP set ipfilter-net*</span></a><span> section for details.)</span>
<span>至于 NDP 所需的链路本地地址，还可以启用“IP 过滤器”（ipfilter： 1） 选项，这与为包含相应链路本地地址的每个 VM 网络接口添加 ipfilter-net* ipset 的效果相同。（有关详细信息，请参阅</span><a href='https://pve.proxmox.com/pve-docs/pve-firewall.8.html#pve_firewall_ipfilter_section'><span>标准 IP 集 ipfilter-net*</span></a><span> 部分。</span></p><h2 id='ports-used-by-proxmox-ve-proxmox-ve使用的端口'><span>Ports used by Proxmox VE Proxmox VE使用的端口</span></h2><ul><li><p><span>Web interface: 8006 (TCP, HTTP/1.1 over TLS)</span>
<span>Web 接口：8006（TCP、HTTP/1.1 over TLS）</span></p></li><li><p><span>VNC Web console: 5900-5999 (TCP, WebSocket)</span>
<span>VNC Web控制台：5900-5999（TCP、WebSocket）</span></p></li><li><p><span>SPICE proxy: 3128 (TCP) SPICE 代理：3128 （TCP）</span></p></li><li><p><span>sshd (used for cluster actions): 22 (TCP)</span>
<span>sshd （用于集群操作）： 22 （TCP）</span></p></li><li><p><span>rpcbind: 111 (UDP) rpcbind：111 （UDP）</span></p></li><li><p><span>sendmail: 25 (TCP, outgoing)</span>
<span>sendmail： 25 （TCP， 传出）</span></p></li><li><p><span>corosync cluster traffic: 5405-5412 UDP</span>
<span>corosync 集群流量：5405-5412 UDP</span></p></li><li><p><span>live migration (VM memory and local-disk data): 60000-60050 (TCP)</span>
<span>实时迁移（虚拟机内存和本地磁盘数据）：60000-60050 （TCP）</span></p></li></ul><h2 id='nftables'><span>nftables </span></h2><p><span>As an alternative to pve-firewall we offer proxmox-firewall, which is an implementation of the Proxmox VE firewall based on the newer </span><a href='https://wiki.nftables.org/wiki-nftables/index.php/What_is_nftables%3F'><span>nftables</span></a><span> rather than iptables.</span>
<span>作为 pve-firewall 的替代方案，我们提供 proxmox-firewall，它是基于较新的 </span><a href='https://wiki.nftables.org/wiki-nftables/index.php/What_is_nftables%3F'><span>nftables</span></a><span> 而不是 iptables 的 Proxmox VE 防火墙的实现。</span></p><figure class='table-figure'><table><thead><tr><th><img src="data:image/png;base64,%0AiVBORw0KGgoAAAANSUhEUgAAADAAAAAwCAYAAABXAvmHAAAMVUlEQVRogdWZeXDVVZbHP7/f27JB%0AwtJIiCERRFlbx5FuHRrRBgtBsRIwCCOrFmGmiDBjYVNlQlgiQjU6IjI4xLJxGf5QGp0Cbaftsu3R%0Ahu6aYXqgLZoWEsjyyDP7S972e7/l3vnj5cW3Ji9M/zOn6lRS997fvd/vueece+59ipSS/89iv5mP%0AZEQQQsS23RQARVEAUFUVRVFQog0ZyogJSClld3c327Ztw7IsLMuKto90KgBsNhtVVVXMnj2bvLw8%0A7Ha7HBEJKWXGKoSQXV1dcsuWLfLSpUsyKkKIIdWyrLTqdrvlU089Jc+cOSM9Ho8Mh8NSCCEzxTRi%0A8JWVlbKtre0vAt6yLGmapmxtbZXr1q2TZ86ckW1tbSMikTH4GzduyKqqqkHwsSA1TZOhUChOg8Hg%0AoBqGIQ3DSAk+VleuXDliEspwviullD09PbzwwgscO3Yszt91XScQCNDZ2YlhGIPfuFwu7Pb48FJV%0AlZycnEG/z8/PRwiBqqqDYzweD88//zyrV69m7ty5jBs3DofDMWRgD0lASik9Hg979uzh2LFjcYEa%0ACoVob2/n2q9+hbZ585BGSCWltbVMr61NtSYbN25k7dq1zJkzZ1gSaqrGWPD79+9PAh8MBuns7OTi%0Ae+8R2rwZCYOaqTTt3cuf6+qSwAMcP36co0eP8vXXX9Pd3Y1hGMg0lk65A1HwdXV1vPHGG0mW7+jo%0A4A8/+xn2BAAAI0riQOnu3cyork7Zt3btWtavX89dd92VdieSCEgppdvt5sCBAxw5ciSuLxQK0dTU%0ARMOHHyJ37hwh1NSiAKU7djDzxRdT9q9YsYJt27YxY8aMlCTiCEgp5eXLl6mvr+fVV1+NmygYDNLW%0A1sY3J09ipLEYQDPw2sBfCTwMLARKgKwhiNxWU8OsXbvi2qLYnnzySSorK1PvRGyqvH79uty6dWtS%0ALg8EAvLKlSvyo1275M8hSV8H+eMBvRPkP9Vslp0tV6W3u12+c7hOTgT5NyAXgtwE8gTIUyn0D9XV%0A0jAMqet6klZUVMjPP/88KcWqUcs3NjZy+PBhDh06FGeFqNtcOnECY8+euICVwDWgFtj/m1/wD+8f%0A5xtg6uy5ZI+5BSkkU6fexgu7tvLWhd/x1tXL5P/905wAggnzSODavn388Sc/SblDL7/8Mq+99hqX%0AL1+OC2zb7t27uX79+u7Dhw+ndJvW1lYaP/qI0EDKS1z0XeDjC7/l9llz+d6EWxjv0imdcgeFRcVo%0AfR46vm1Cx8ndP5hP3qjR/GDuX/GbC5/iberl1qirxGjv73+PYRjc8tBDcVhGjRpFRUUF27dvp7i4%0AmPz8fFwuV2QHVq1aldLyDQ0NXDt5En91NRIQCRqNHld2HsLUCfu6GD9mNIoVQggDy9RQpYLTbkdV%0A7Vh6CH9vJ/fcfz/vALsAN2AlzHv1wAEu1tTExUI0Hl555RXq6upobm4mEAhECEyePDkOvK7rtLS0%0AcOP0aby1tUnAo2oNkFAUSTjoRfN+ix7wgjRBShACVVFQRGSkHvTypwtnmXHPQhrbb3D0k1McAdpi%0ADBLVhp/+lIvV1UlV7oQJE8jNzcXtduPz+ZIPMtM0aWhooPH99+mtrU1ymVRqUxUQFlJYSBFGCivG%0AOSyEaSCFAGlhd+Vy7w/n43BmM3POXWx69hl8AyMTDXTl4EEu7t2bCBGAQCCAruupCdjtdrp3705r%0A+ViN22YhsUwdyzRBCpACyzIRMnpngCxXNjYlMk4L+ggoYXxp5pbAlX37cDgcSQSEEAxmoVgQg/9n%0AAP67bVdAUcFmQ3W6IgtIiWUKLCGwLGvQj69e+m+EsBB6iGB/N/3e9oyNlIgRYm5kiR2JH0L6MkFY%0AEi0UQKAycdJUbIodT3Mjpu6n3xfCptoRlomQCqZpRkhLCykMhLBQSV1HJbalKnvSF3MpNO0OSIEw%0ADWyuPCaVzCRv7ER8Ph+mtJM35lZsdjvuxktYhobDkYOCgqJEDWLLaAfSVc1p78SJO2AAvUBggLUN%0AKIx2Kgqjv3crY2wOiqaqKKoKihKJCctCC/npbW+jq7sbS7UjkGCZCCkQQkdJsV6mRWHGBH4HLHpx%0AF3LcGDq6u7nw2S85++V/4gb0kB9hFoAZwuZwgc2BqjpQVRWbzYXd4cDlysHn7WJi0W2EfH24XA6E%0AjKySqhTPtDRPIjB4XUtoPw3sKV/O+KJipJT4V63mq3/7Obu21/LN/5xl9l/PIys7G2fOaBS7E5vN%0AQrU7UW0KNlUFp5P8MeO5/8HFhPo7CXr7MMIaQW8neSkMlqnEEYj1s8QJbwXaWpopmDgJh93OqHGF%0ALFy9jjunTeHNo2uAvUy54/uMuaUYV24BUpVYpoVEwaY4UVUbitNJ9ugxOBw2tEAPfX29QCjuVB9O%0AEmNBTdeRGEj3A56OdkwtgDDCCKFjz8ql6N55/G3VcRouX+SXH72Ht6udcCg4cJiJSPIn8oCloIKU%0AKAhURUUIiVCjx128pjtrEiVtFkrMNNOBA+s34XG3YIRDSMtAkSbOrDzuvOchHnmiklEFY3n76G7O%0Af/nv9Ht7EMJCSjGoljCxjOBAnaSjhYPowevDZrx04FMSGLwnJEzmAOYCn33wAUYoiGXoSMsEoeNw%0AZTO2aDrzFpWxck0VJVOn4fd2E/T7oneNyOFlGkjLwNTD6FoILRQEa/hDcyhJIuB0OlFVNeVE04B3%0AXjnC+d9+hRYKYJlhpDBBGDidDiaUfp/xk24nJ3c0eaPzsKsgzEhtZJkGIuzDNDRCAR99fb309XYh%0ANAYPsnQ6IgJSSgoKCihavDilJZ4Aajf8HVf/fAnLCCNNAyktECaqIsgbV8So0WMHrn2RGLBMHREO%0AYBg6eiiIFgzQ7/US8vmYoEDuENa/u6oqcwJRPysoKOC+N9+kcNGiJGvkAQuADY+twn3tCuFg/4CV%0ADbB0VKHhzHbhdGVhs6kgDKTuR9f86KEAWtBHd0c73p52pB5Av5KewJxnnmHeoUOEw+EkjHEEYi8M%0AEHlFKyws5IfHjlG4cGHSxJOA1cATPy7nT388j+73YoYDCEuP1DhSRrKOlFhmmLAWQNMCBHw9tHtu%0A8K2nBcsI8uGxf8HoiRBINNTtjz7KQ/X1xL6iRDHGvubZAfr7+1Nuz+TJk6G+nv/atInmX/86rq8A%0AWAlUrahk/Fio/8XHjM4fi93pHCgRFCzLQtd1tFAQLeCjs9NNb4cHxdL44J8PozfD7XyXRqNy97p1%0APPz220gp0XU9zriKogw+SaqqGtmB48ePU15enkRASklRURH31tcz6cEHk1JrAfAUcEcPLLjvMU69%0A/694uzsI+X3093TS5blBl8eNt72VHk8Tfd9eR+vv4MQ/HkZpiJwttgTL3/Hoo2nBNzY2smjRIhYs%0AWEBBQQEulyvyLuT3+2VTUxM7d+7k5MmTKXNuS0sL555+mtYvv0zqE0A7kavhqFL4oAlCCWOygGIi%0AqTiHyMnuTBgz/bHHKDt9GillnN8D+P1+ysrKWLJkCdOmTWPWrFmUlpZGCAghpN/vp7m5mZqaGl5/%0A/XUKCwtJFLfbzX+sX8+Nr75K6rtZiXr49KVLKf/4Y4QQ6LqeBP6RRx6hvLycadOmMXPmTEpKSsjN%0Azf3uZS6WRHV1NadOnUpaTEpJa2sr5zZupOkmSaQqk2csWcLyTz4BQNO0uL7GxkbWr1+fErzNZlMG%0Aw1lVVSUvL4+SkhL27dvH8uXL8Xg8ceABiouLue+ttyieN2+IK2Z6TRx/5+LFacE3NDRQWVmZFjwk%0AnAOxJF566SW2bNnChQsXkmKipKSEB959l9vmzcvo1pZOpz/8ME98+mla8Bs2bGDZsmVpwUOa5/VE%0Ad0oXE319fXxWXs43Z88m9Q0n03/0I1YPJIRE8OfOnWPHjh2UlZUNCT4tgUQSO3fupKqqigceeGCw%0AP/a7VM8emUg0VcbK+fPn2bp1KytWrBgW/JAEEknU1NTw7LPPMn/+/GFBZQI8lZw/f57nnnuO5cuX%0AM2XKlGHBD0sgkURdXR2PP/44FRUVNwV+qP7Tp09z8ODBjNxmRAQSSRw4cIBly5axdOnSvwh4RVH4%0A4osv2L9/P2VlZRlbfkQEEkls376djo4OQqHE83bk4nK5EEKwZs0aSktLRwR+RATgOxItLS1cu3aN%0Avr6+wTfK/4tEfzeeMmUKkydPzhg8jJAAREgEg0H6+vrQNC2pFL8ZUVWVrKws8vPzycnJQVXVjH/s%0A/F/lgJiyQFHragAAAABJRU5ErkJggg==" referrerpolicy="no-referrer" alt="Warning"></th><th><span>proxmox-firewall is currently in tech preview. There might be bugs or incompatibilies with the original firewall. It is currently not suited for production use. Proxmox-Firewall 目前处于技术预览阶段。原始防火墙可能存在错误或不兼容。它目前不适合生产使用。</span></th></tr></thead><tbody><tr><td>&nbsp;</td><td>&nbsp;</td></tr></tbody></table></figure><p><span>This implementation uses the same configuration files and configuration format, so you can use your old configuration when switching. It provides the exact same functionality with a few exceptions:</span>
<span>此实现使用相同的配置文件和配置格式，因此您可以在切换时使用旧配置。它提供完全相同的功能，但有一些例外：</span></p><ul><li><p><span>REJECT is currently not possible for guest traffic (traffic will instead be dropped).</span>
<span>REJECT 目前无法用于访客流量（流量将被丢弃）。</span></p></li><li><p><span>Using the NDP, Router Advertisement or DHCP options will </span><strong><span>always</span></strong><span> create firewall rules, irregardless of your default policy.</span>
<span>使用 NDP、路由器通告或 DHCP 选项将</span><strong><span>始终</span></strong><span>创建防火墙规则，而不考虑您的默认策略。</span></p></li><li><p><span>firewall rules for guests are evaluated even for connections that have conntrack table entries.</span>
<span>即使对于具有 ConnTrack 表条目的连接，也会评估来宾的防火墙规则。</span></p></li></ul><h3 id='installation-and-usage-安装与使用'><span>Installation and Usage 安装与使用 </span></h3><p><span>Install the proxmox-firewall package:</span>
<span>安装 proxmox-firewall 软件包：</span></p><pre class="md-fences md-end-block ty-contain-cm modeLoaded" spellcheck="false" lang=""><div class="CodeMirror cm-s-inner cm-s-null-scroll CodeMirror-wrap" lang=""><div style="overflow: hidden; position: relative; width: 3px; height: 0px; top: 11px; left: 4px;"><textarea autocorrect="off" autocapitalize="off" spellcheck="false" tabindex="0" style="position: absolute; bottom: -1em; padding: 0px; width: 1000px; height: 1em; outline: none;"></textarea></div><div class="CodeMirror-scrollbar-filler" cm-not-content="true"></div><div class="CodeMirror-gutter-filler" cm-not-content="true"></div><div class="CodeMirror-scroll" tabindex="-1"><div class="CodeMirror-sizer" style="margin-left: 0px; margin-bottom: 0px; border-right-width: 0px; padding-right: 0px; padding-bottom: 0px;"><div style="position: relative; top: 0px;"><div class="CodeMirror-lines" role="presentation"><div role="presentation" style="position: relative; outline: none;"><div class="CodeMirror-measure"><pre><span>xxxxxxxxxx</span></pre></div><div class="CodeMirror-measure"></div><div style="position: relative; z-index: 1;"></div><div class="CodeMirror-code" role="presentation"><div class="CodeMirror-activeline" style="position: relative;"><div class="CodeMirror-activeline-background CodeMirror-linebackground"></div><div class="CodeMirror-gutter-background CodeMirror-activeline-gutter" style="left: 0px; width: 0px;"></div><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">apt install proxmox-firewall</span></pre></div></div></div></div></div></div><div style="position: absolute; height: 0px; width: 1px; border-bottom-width: 0px; border-bottom-style: solid; border-bottom-color: transparent; top: 26px;"></div><div class="CodeMirror-gutters" style="display: none; height: 26px;"></div></div></div></pre><p><span>Enable the nftables backend via the Web UI on your hosts (Host &gt; Firewall &gt; Options &gt; nftables), or by enabling it in the configuration file for your hosts (/etc/pve/nodes/&lt;node_name&gt;/host.fw):</span>
<span>通过主机上的 Web UI（主机&gt;防火墙&gt;选项&gt; nftables）或在主机的配置文件 （/etc/pve/nodes/&lt;node_name&gt;/host.fw） 中启用它来启用 nftables 后端：</span></p><pre class="md-fences md-end-block ty-contain-cm modeLoaded" spellcheck="false" lang=""><div class="CodeMirror cm-s-inner cm-s-null-scroll CodeMirror-wrap" lang=""><div style="overflow: hidden; position: relative; width: 3px; height: 0px; top: 11px; left: 4px;"><textarea autocorrect="off" autocapitalize="off" spellcheck="false" tabindex="0" style="position: absolute; bottom: -1em; padding: 0px; width: 1000px; height: 1em; outline: none;"></textarea></div><div class="CodeMirror-scrollbar-filler" cm-not-content="true"></div><div class="CodeMirror-gutter-filler" cm-not-content="true"></div><div class="CodeMirror-scroll" tabindex="-1"><div class="CodeMirror-sizer" style="margin-left: 0px; margin-bottom: 0px; border-right-width: 0px; padding-right: 0px; padding-bottom: 0px;"><div style="position: relative; top: 0px;"><div class="CodeMirror-lines" role="presentation"><div role="presentation" style="position: relative; outline: none;"><div class="CodeMirror-measure"><pre><span>xxxxxxxxxx</span></pre></div><div class="CodeMirror-measure"></div><div style="position: relative; z-index: 1;"></div><div class="CodeMirror-code" role="presentation"><div class="CodeMirror-activeline" style="position: relative;"><div class="CodeMirror-activeline-background CodeMirror-linebackground"></div><div class="CodeMirror-gutter-background CodeMirror-activeline-gutter" style="left: 0px; width: 0px;"></div><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">[OPTIONS]</span></pre></div><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span cm-text="" cm-zwsp="">
</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">nftables: 1</span></pre></div></div></div></div></div><div style="position: absolute; height: 0px; width: 1px; border-bottom-width: 0px; border-bottom-style: solid; border-bottom-color: transparent; top: 78px;"></div><div class="CodeMirror-gutters" style="display: none; height: 78px;"></div></div></div></pre><figure class='table-figure'><table><thead><tr><th><img src="data:image/png;base64,%0AiVBORw0KGgoAAAANSUhEUgAAADAAAAAwCAYAAABXAvmHAAAJhUlEQVRoge2ZWWycVxXHf+fce7/v%0Am/GaGCde4pI0aQlJC0kRtE1L00JbLIjY4QkeUB9YHhAIJFCExAsKUkE8IAFFPIDUIqhBRSDRBUqC%0ACimFFBCBpCWx02IaZ3G2SdyxPZ7vHh6+mcnSZnFjKIge6Wj8zYzvPf9z/me5d8TM+F8WfbkNuFx5%0ABcDLLf/fAEZGRmx4eNh6enqsp6fHhoeHbWRk5D9aFeSlVqHNmzfb6H33sHnT7ZQmD5GfOMax6Sm+%0APl5h1Yc+xpYtW2SBbX1ReUkRGBkZsdH77mHLW95EOv4Ms3ueJh6YYPHUFF9aljJ63z3cf//9/5FI%0AvKQIDA8P293L2yhVjjH7t51ocDiviFecF46n7XzBreChhx4qNhH5t0XjJUVgx44ddGUZ9b/vIpQD%0AoRQIWSDJAiFL6B9axo4dO4gxAmANWVDLG+Ln82URMRGhVCqRHxonlAPqFXWKC4r6IhI6OMjMzBN4%0A/4LlTUQQEZxzZ32QJAlpmrb+p16vU6vVOHXq1AWjN18AnDj0F971vrs4OnmYJVkoDA4FCPUO172I%0ACgnt7SV++4vvsGhRJx3tJbIsRVVpsUnOBBABBVFEClKYwbKr7sTM7EIUnBcA7z21k7t49x1X8JXv%0AbOWra7rw5QRtcN8PLCfvvZJvb9vJycpJpg4/hp/N0I4SMQs4Jw0A5zBXHGiCaIZIKABgpGlKjPEF%0A0TpT5pUDRXiVt99+Le03r+WzuytM1gO6pB/3+o0cbxvk8yOPMjW6i2iR2lxOjJDHSDMFogmGwzQ7%0ArRJAUpAENAGXIZq2AFzQpvkACCEQcahP+cRH3sKHn9zHXU+MM7rtGeD33NDXzaZynZU9gcezpUw9%0AX6OzIyOakkfF4QEpPG6nDRNNEA2FSgKimETSNCXPc0II57VpXhEolUqoOrxPSLOMT330Dv5SqfKD%0ANR388Y2L+caQsjITNv3pMBs3rOT56ZyZGaM+J0QUxDc0INrWUgggoRGBAOIRAt77hY1AmqaoeJxP%0AcN645jVDbNn8Hj73o8fZ/af9mEE9j9y2YRXt5YzZWmRmzjj1/BwhTXAKzitOHEbeWlc0AVwDnCv8%0AKoZzjotV33lTSL1HNKAuEtKM1169jM98/E6mTk3x4Nbd7Bk7TEdHRvAeVY+hmDqmZwx1kIkiqrhz%0AS2zL+AbNMC6l/80LgHMOEY9oQvBCks5RKpXo7JhFxbhz42pet2aQet1YtLiDJAkIDq8BHwJmwlwO%0AUaD0ojsrNKuUReIZyb9gABCHcwWFgg+0lTPyvIRToVzKWLpkMfV6REQplYvmZCj1uuBUSdJwTg8A%0AXBdoCZMOsBkQBeGi/J83gBgjmABC8AlJGsjzFLMyaXDM1etEA0VR50iCx6mSZhkiijpPjEpQD+SF%0A4WdJrTAewdCFB1CtVlFVVATnhMQnWJqC5aTBk+c5IIgWRoTgSZJAmiZAo1s7hwsppglI+fTiljeY%0AnyHkLQotKIAYI4igzpFHISQOiwEnKTEG8hhRVZw6YjRQLfJGHcF7jleqTBw8znXr12MABnv37efY%0AiSnesG4tiUsRUQwD7JIAzKsPqCqiRbVwweM04XdPjhJN+dvTBxgbn6G9q59yZx9/3HWEb33vN+zc%0A/RzOJ+w/eJLtO8Z5ZNtT7PvHIUQTvvv9X/Lc/mN0d3by3fseRLQwvWh0Fy+h8wbQ2VFG1KM+xfuA%0Aqufo8So/fejPPD/rqJys8pvf7eLAoeNMHqnw2U9+kH3jVQ5MClMzKUla5obr13HliiEMmDx6gltv%0AuY7Vr1nBQF8PJopQ9AFTt/AROFfMjCW9XTy19xB33Hodb924jr1j+/nDk3/nzTdei4jw3nfeyCOP%0Abufa1y5jzeoVrcHM8HR3dfHlr/2Q+x94jFtuuh44/9B2PplXDryYLF3STXd3e+t5UXcHY89OsOH6%0ANS2Qed7wpM1Rm50G4MGHH2P961Zy3bqreXrPP5mrzwLt5y6/cACq1eoLCKm+TN/SAebmfn8aUG83%0APYs7+cnPH+eqKwd5as8/edc7bi02847pmVkATk1VWbF8AOcca1Yv59DkqcYK0tCL02deACqVCldc%0A0YdIwLmEPM9RV6NnUZlPf3wT6oqJcePN6wHhzTeu4/CRCrfctJ4sSxBRli7pYfHEMUSU97/7Th75%0A1RP8eec+Yp5zzTVXM9DfDyogBvHS6HTJACYmJnjVoq5GFw0454gCEOnoaMfiNGZFFRFxJGkbywZ6%0Ai1NWoy9kWYmbb1gHKCHApuGbisVFGyoYUswa5OR5ftF56JIBjI6OMtDfWwAQ35jnc8AVpRXBohVq%0AUowECKqK4RBxoE0W6gvGCcEjaOEAwEQWdpgbGxujt7erOLO2mk3R8i0Wz9EiuUGz+qlKEQEUaJbI%0A4lTHmTVePKgWzpDGJGpc8CDTlEsuo88++wxXDA0UIUbAOP23KGZKjI48KnkuhcbiPbPCOBoeBikO%0ALk2VxjqNRilaAEqSZGEAbN261bZt+zW33XY7IAXXm6Ou0YhIMamaaUOl5WRrzg00viuKWWxpQUOH%0ANAZFQRpD48Xlkig0MTHBB95zG+VSylz1KCbWyDOh2XyK+56IqjWMKigkUnzWnPPFFFRRLZ29SQRU%0AELOGY4pZ6LKOlM07mZ07d/KOtw1TcB4sGkTDiDQ9K1IkrKeYmQC08d7pZLSiRBpE5s7aS0XAHFEK%0AAGY51Wr18g80Zmb33nsvX/z8XdSmj2AWOXhwkrxe46+79jB55Dh/3T2GxUhHextdXW2sXN7PNWtW%0AIQKDA71FFBoAjIgQkVg/a5+oHrU5zIznDhxk964xKpXKggAoTlWW8+OfPorlOQ//cjsDy1bS2dFO%0AW+diVly1iL6+Pqanpzl5qsL4pPHwN3/G1InDlMsZ7Z1tDA30cfWqIa5dexV9fb2YnT7UTxw4xsHJ%0Ao4yOjfOP8QOMjx/k4OQx7r777lY0zycXvJ02M4sxMjg4SL1eR0TYsGEDw8PD9PX10d7ejogUN3a1%0AGqpKCIE8z5mdnUVVqVarbN++nba2Nvbu3csDDzyAqrJ8+atb+zjn6e/vZ/Xq1axatYq1a9fS29tL%0AlmUMDQ1RKpXOm9EXvV6v1+tWr9eZnp5mZmaGWq1GjLHF62aiNZ+bnPfe45xrvTZzxMyYmZk56+LX%0AzKjX661DvHOOJElIkoRSqYT3/vLvRlW15eHCa4VxzdvmpjZDfubzuXeb3vuzqCEixBhbo0NTkyS5%0APAr9L8j/96+U/w3yCoCXW14B8HLLvwDd67nwZIEPdgAAAABJRU5ErkJggg==" referrerpolicy="no-referrer" alt="Note"></th><th><span>After enabling/disabling proxmox-firewall, all running VMs and containers need to be restarted for the old/new firewall to work properly. 启用/禁用 proxmox-firewall 后，需要重新启动所有正在运行的虚拟机和容器，以使旧/新防火墙正常工作。</span></th></tr></thead><tbody><tr><td>&nbsp;</td><td>&nbsp;</td></tr></tbody></table></figure><p><span>After setting the nftables configuration key, the new proxmox-firewall service will take over. You can check if the new service is working by checking the systemctl status of proxmox-firewall:</span>
<span>设置 nftables 配置键后，新的 proxmox-firewall 服务将接管。您可以通过检查 proxmox-firewall 的 systemctl 状态来检查新服务是否正常工作：</span></p><pre class="md-fences md-end-block ty-contain-cm modeLoaded" spellcheck="false" lang=""><div class="CodeMirror cm-s-inner cm-s-null-scroll CodeMirror-wrap" lang=""><div style="overflow: hidden; position: relative; width: 3px; height: 0px; top: 11px; left: 4px;"><textarea autocorrect="off" autocapitalize="off" spellcheck="false" tabindex="0" style="position: absolute; bottom: -1em; padding: 0px; width: 1000px; height: 1em; outline: none;"></textarea></div><div class="CodeMirror-scrollbar-filler" cm-not-content="true"></div><div class="CodeMirror-gutter-filler" cm-not-content="true"></div><div class="CodeMirror-scroll" tabindex="-1"><div class="CodeMirror-sizer" style="margin-left: 0px; margin-bottom: 0px; border-right-width: 0px; padding-right: 0px; padding-bottom: 0px;"><div style="position: relative; top: 0px;"><div class="CodeMirror-lines" role="presentation"><div role="presentation" style="position: relative; outline: none;"><div class="CodeMirror-measure"><pre><span>xxxxxxxxxx</span></pre></div><div class="CodeMirror-measure"></div><div style="position: relative; z-index: 1;"></div><div class="CodeMirror-code" role="presentation"><div class="CodeMirror-activeline" style="position: relative;"><div class="CodeMirror-activeline-background CodeMirror-linebackground"></div><div class="CodeMirror-gutter-background CodeMirror-activeline-gutter" style="left: 0px; width: 0px;"></div><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">systemctl status proxmox-firewall</span></pre></div></div></div></div></div></div><div style="position: absolute; height: 0px; width: 1px; border-bottom-width: 0px; border-bottom-style: solid; border-bottom-color: transparent; top: 26px;"></div><div class="CodeMirror-gutters" style="display: none; height: 26px;"></div></div></div></pre><p><span>You can also examine the generated ruleset. You can find more information about this in the section </span><a href='https://pve.proxmox.com/pve-docs/pve-firewall.8.html#pve_firewall_nft_helpful_commands'><span>Helpful Commands</span></a><span>. You should also check whether pve-firewall is no longer generating iptables rules, you can find the respective commands in the </span><a href='https://pve.proxmox.com/pve-docs/pve-firewall.8.html#pve_firewall_services_commands'><span>Services and Commands</span></a><span> section.</span>
<span>您还可以检查生成的规则集。您可以在</span><a href='https://pve.proxmox.com/pve-docs/pve-firewall.8.html#pve_firewall_nft_helpful_commands'><span>“有用的命令</span></a><span>”部分找到有关此内容的更多信息。您还应该检查 pve-firewall 是否不再生成 iptables 规则，您可以在 </span><a href='https://pve.proxmox.com/pve-docs/pve-firewall.8.html#pve_firewall_services_commands'><span>Services 和 Commands</span></a><span> 部分找到相应的命令。</span></p><p><span>Switching back to the old firewall can be done by simply setting the configuration value back to 0 / No.</span>
<span>只需将配置值设置回 0 / No，即可切换回旧防火墙。</span></p><h3 id='usage-用法'><span>Usage 用法 </span></h3><p><span>proxmox-firewall will create two tables that are managed by the proxmox-firewall service: proxmox-firewall and proxmox-firewall-guests. If you want to create custom rules that live outside the Proxmox VE firewall configuration you can create your own tables to manage your custom firewall rules. proxmox-firewall will only touch the tables it generates, so you can easily extend and modify the behavior of the proxmox-firewall by adding your own tables.</span>
<span>proxmox-firewall 将创建两个由 proxmox-firewall 服务管理的表：proxmox-firewall 和 proxmox-firewall-guests。如果要创建位于Proxmox VE防火墙配置之外的自定义规则，则可以创建自己的表来管理自定义防火墙规则。Proxmox-Firewall 只会触及它生成的表，因此您可以通过添加自己的表轻松扩展和修改 Proxmox-Firewall 的行为。</span></p><p><span>Instead of using the pve-firewall command, the nftables-based firewall uses proxmox-firewall. It is a systemd service, so you can start and stop it via systemctl:</span>
<span>基于 nftables 的防火墙不使用 pve-firewall 命令，而是使用 proxmox-firewall。它是一个 systemd 服务，因此您可以通过 systemctl 启动和停止它：</span></p><pre class="md-fences md-end-block ty-contain-cm modeLoaded" spellcheck="false" lang=""><div class="CodeMirror cm-s-inner cm-s-null-scroll CodeMirror-wrap" lang=""><div style="overflow: hidden; position: relative; width: 3px; height: 0px; top: 11px; left: 4px;"><textarea autocorrect="off" autocapitalize="off" spellcheck="false" tabindex="0" style="position: absolute; bottom: -1em; padding: 0px; width: 1000px; height: 1em; outline: none;"></textarea></div><div class="CodeMirror-scrollbar-filler" cm-not-content="true"></div><div class="CodeMirror-gutter-filler" cm-not-content="true"></div><div class="CodeMirror-scroll" tabindex="-1"><div class="CodeMirror-sizer" style="margin-left: 0px; margin-bottom: 0px; border-right-width: 0px; padding-right: 0px; padding-bottom: 0px;"><div style="position: relative; top: 0px;"><div class="CodeMirror-lines" role="presentation"><div role="presentation" style="position: relative; outline: none;"><div class="CodeMirror-measure"><pre><span>xxxxxxxxxx</span></pre></div><div class="CodeMirror-measure"></div><div style="position: relative; z-index: 1;"></div><div class="CodeMirror-code" role="presentation"><div class="CodeMirror-activeline" style="position: relative;"><div class="CodeMirror-activeline-background CodeMirror-linebackground"></div><div class="CodeMirror-gutter-background CodeMirror-activeline-gutter" style="left: 0px; width: 0px;"></div><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">systemctl start proxmox-firewall</span></pre></div><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">systemctl stop proxmox-firewall</span></pre></div></div></div></div></div><div style="position: absolute; height: 0px; width: 1px; border-bottom-width: 0px; border-bottom-style: solid; border-bottom-color: transparent; top: 52px;"></div><div class="CodeMirror-gutters" style="display: none; height: 52px;"></div></div></div></pre><p><span>Stopping the firewall service will remove all generated rules.</span>
<span>停止防火墙服务将删除所有生成的规则。</span></p><p><span>To query the status of the firewall, you can query the status of the systemctl service:</span>
<span>要查询防火墙的状态，您可以查询 systemctl 服务的状态：</span></p><pre class="md-fences md-end-block ty-contain-cm modeLoaded" spellcheck="false" lang=""><div class="CodeMirror cm-s-inner cm-s-null-scroll CodeMirror-wrap" lang=""><div style="overflow: hidden; position: relative; width: 3px; height: 0px; top: 11px; left: 4px;"><textarea autocorrect="off" autocapitalize="off" spellcheck="false" tabindex="0" style="position: absolute; bottom: -1em; padding: 0px; width: 1000px; height: 1em; outline: none;"></textarea></div><div class="CodeMirror-scrollbar-filler" cm-not-content="true"></div><div class="CodeMirror-gutter-filler" cm-not-content="true"></div><div class="CodeMirror-scroll" tabindex="-1"><div class="CodeMirror-sizer" style="margin-left: 0px; margin-bottom: 0px; border-right-width: 0px; padding-right: 0px; padding-bottom: 0px;"><div style="position: relative; top: 0px;"><div class="CodeMirror-lines" role="presentation"><div role="presentation" style="position: relative; outline: none;"><div class="CodeMirror-measure"><pre><span>xxxxxxxxxx</span></pre></div><div class="CodeMirror-measure"></div><div style="position: relative; z-index: 1;"></div><div class="CodeMirror-code" role="presentation"><div class="CodeMirror-activeline" style="position: relative;"><div class="CodeMirror-activeline-background CodeMirror-linebackground"></div><div class="CodeMirror-gutter-background CodeMirror-activeline-gutter" style="left: 0px; width: 0px;"></div><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">systemctl status proxmox-firewall</span></pre></div></div></div></div></div></div><div style="position: absolute; height: 0px; width: 1px; border-bottom-width: 0px; border-bottom-style: solid; border-bottom-color: transparent; top: 26px;"></div><div class="CodeMirror-gutters" style="display: none; height: 26px;"></div></div></div></pre><h3 id='helpful-commands-有用的命令'><span>Helpful Commands 有用的命令 </span></h3><p><span>You can check the generated ruleset via the following command:</span>
<span>您可以通过以下命令检查生成的规则集：</span></p><pre class="md-fences md-end-block ty-contain-cm modeLoaded" spellcheck="false" lang=""><div class="CodeMirror cm-s-inner cm-s-null-scroll CodeMirror-wrap" lang=""><div style="overflow: hidden; position: relative; width: 3px; height: 0px; top: 11px; left: 4px;"><textarea autocorrect="off" autocapitalize="off" spellcheck="false" tabindex="0" style="position: absolute; bottom: -1em; padding: 0px; width: 1000px; height: 1em; outline: none;"></textarea></div><div class="CodeMirror-scrollbar-filler" cm-not-content="true"></div><div class="CodeMirror-gutter-filler" cm-not-content="true"></div><div class="CodeMirror-scroll" tabindex="-1"><div class="CodeMirror-sizer" style="margin-left: 0px; margin-bottom: 0px; border-right-width: 0px; padding-right: 0px; padding-bottom: 0px;"><div style="position: relative; top: 0px;"><div class="CodeMirror-lines" role="presentation"><div role="presentation" style="position: relative; outline: none;"><div class="CodeMirror-measure"><pre><span>xxxxxxxxxx</span></pre></div><div class="CodeMirror-measure"></div><div style="position: relative; z-index: 1;"></div><div class="CodeMirror-code" role="presentation"><div class="CodeMirror-activeline" style="position: relative;"><div class="CodeMirror-activeline-background CodeMirror-linebackground"></div><div class="CodeMirror-gutter-background CodeMirror-activeline-gutter" style="left: 0px; width: 0px;"></div><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">nft list ruleset</span></pre></div></div></div></div></div></div><div style="position: absolute; height: 0px; width: 1px; border-bottom-width: 0px; border-bottom-style: solid; border-bottom-color: transparent; top: 26px;"></div><div class="CodeMirror-gutters" style="display: none; height: 26px;"></div></div></div></pre><p><span>If you want to debug proxmox-firewall you can simply run the daemon in foreground with the RUST_LOG environment variable set to trace. This should provide you with detailed debugging output:</span>
<span>如果你想调试 proxmox-firewall，你可以简单地在前台运行守护进程，并将 RUST_LOG 环境变量设置为 trace。这应该为您提供详细的调试输出：</span></p><pre class="md-fences md-end-block ty-contain-cm modeLoaded" spellcheck="false" lang=""><div class="CodeMirror cm-s-inner cm-s-null-scroll CodeMirror-wrap" lang=""><div style="overflow: hidden; position: relative; width: 3px; height: 0px; top: 11px; left: 4px;"><textarea autocorrect="off" autocapitalize="off" spellcheck="false" tabindex="0" style="position: absolute; bottom: -1em; padding: 0px; width: 1000px; height: 1em; outline: none;"></textarea></div><div class="CodeMirror-scrollbar-filler" cm-not-content="true"></div><div class="CodeMirror-gutter-filler" cm-not-content="true"></div><div class="CodeMirror-scroll" tabindex="-1"><div class="CodeMirror-sizer" style="margin-left: 0px; margin-bottom: 0px; border-right-width: 0px; padding-right: 0px; padding-bottom: 0px;"><div style="position: relative; top: 0px;"><div class="CodeMirror-lines" role="presentation"><div role="presentation" style="position: relative; outline: none;"><div class="CodeMirror-measure"><pre><span>xxxxxxxxxx</span></pre></div><div class="CodeMirror-measure"></div><div style="position: relative; z-index: 1;"></div><div class="CodeMirror-code" role="presentation"><div class="CodeMirror-activeline" style="position: relative;"><div class="CodeMirror-activeline-background CodeMirror-linebackground"></div><div class="CodeMirror-gutter-background CodeMirror-activeline-gutter" style="left: 0px; width: 0px;"></div><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">RUST_LOG=trace /usr/libexec/proxmox/proxmox-firewall</span></pre></div></div></div></div></div></div><div style="position: absolute; height: 0px; width: 1px; border-bottom-width: 0px; border-bottom-style: solid; border-bottom-color: transparent; top: 26px;"></div><div class="CodeMirror-gutters" style="display: none; height: 26px;"></div></div></div></pre><p><span>You can also edit the systemctl service if you want to have detailed output for your firewall daemon:</span>
<span>如果您希望获得防火墙守护进程的详细输出，也可以编辑 systemctl 服务：</span></p><pre class="md-fences md-end-block ty-contain-cm modeLoaded" spellcheck="false" lang=""><div class="CodeMirror cm-s-inner cm-s-null-scroll CodeMirror-wrap" lang=""><div style="overflow: hidden; position: relative; width: 3px; height: 0px; top: 11px; left: 4px;"><textarea autocorrect="off" autocapitalize="off" spellcheck="false" tabindex="0" style="position: absolute; bottom: -1em; padding: 0px; width: 1000px; height: 1em; outline: none;"></textarea></div><div class="CodeMirror-scrollbar-filler" cm-not-content="true"></div><div class="CodeMirror-gutter-filler" cm-not-content="true"></div><div class="CodeMirror-scroll" tabindex="-1"><div class="CodeMirror-sizer" style="margin-left: 0px; margin-bottom: 0px; border-right-width: 0px; padding-right: 0px; padding-bottom: 0px;"><div style="position: relative; top: 0px;"><div class="CodeMirror-lines" role="presentation"><div role="presentation" style="position: relative; outline: none;"><div class="CodeMirror-measure"><pre><span>xxxxxxxxxx</span></pre></div><div class="CodeMirror-measure"></div><div style="position: relative; z-index: 1;"></div><div class="CodeMirror-code" role="presentation"><div class="CodeMirror-activeline" style="position: relative;"><div class="CodeMirror-activeline-background CodeMirror-linebackground"></div><div class="CodeMirror-gutter-background CodeMirror-activeline-gutter" style="left: 0px; width: 0px;"></div><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">systemctl edit proxmox-firewall</span></pre></div></div></div></div></div></div><div style="position: absolute; height: 0px; width: 1px; border-bottom-width: 0px; border-bottom-style: solid; border-bottom-color: transparent; top: 26px;"></div><div class="CodeMirror-gutters" style="display: none; height: 26px;"></div></div></div></pre><p><span>Then you need to add the override for the RUST_LOG environment variable:</span>
<span>然后，您需要为 RUST_LOG 环境变量添加覆盖：</span></p><pre class="md-fences md-end-block ty-contain-cm modeLoaded" spellcheck="false" lang=""><div class="CodeMirror cm-s-inner cm-s-null-scroll CodeMirror-wrap" lang=""><div style="overflow: hidden; position: relative; width: 3px; height: 0px; top: 11px; left: 4px;"><textarea autocorrect="off" autocapitalize="off" spellcheck="false" tabindex="0" style="position: absolute; bottom: -1em; padding: 0px; width: 1000px; height: 1em; outline: none;"></textarea></div><div class="CodeMirror-scrollbar-filler" cm-not-content="true"></div><div class="CodeMirror-gutter-filler" cm-not-content="true"></div><div class="CodeMirror-scroll" tabindex="-1"><div class="CodeMirror-sizer" style="margin-left: 0px; margin-bottom: 0px; border-right-width: 0px; padding-right: 0px; padding-bottom: 0px;"><div style="position: relative; top: 0px;"><div class="CodeMirror-lines" role="presentation"><div role="presentation" style="position: relative; outline: none;"><div class="CodeMirror-measure"><pre><span>xxxxxxxxxx</span></pre></div><div class="CodeMirror-measure"></div><div style="position: relative; z-index: 1;"></div><div class="CodeMirror-code" role="presentation"><div class="CodeMirror-activeline" style="position: relative;"><div class="CodeMirror-activeline-background CodeMirror-linebackground"></div><div class="CodeMirror-gutter-background CodeMirror-activeline-gutter" style="left: 0px; width: 0px;"></div><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">[Service]</span></pre></div><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">Environment="RUST_LOG=trace"</span></pre></div></div></div></div></div><div style="position: absolute; height: 0px; width: 1px; border-bottom-width: 0px; border-bottom-style: solid; border-bottom-color: transparent; top: 52px;"></div><div class="CodeMirror-gutters" style="display: none; height: 52px;"></div></div></div></pre><p><span>This will generate a large amount of logs very quickly, so only use this for debugging purposes. Other, less verbose, log levels are info and debug.</span>
<span>这将非常快速地生成大量日志，因此仅将其用于调试目的。其他不太详细的日志级别是 info 和 debug。</span></p><p><span>Running in foreground writes the log output to STDERR, so you can redirect it with the following command (e.g. for submitting logs to the community forum):</span>
<span>在前台运行会将日志输出写入 STDERR，因此您可以使用以下命令重定向它（例如，用于将日志提交到社区论坛）：</span></p><pre class="md-fences md-end-block ty-contain-cm modeLoaded" spellcheck="false" lang=""><div class="CodeMirror cm-s-inner cm-s-null-scroll CodeMirror-wrap" lang=""><div style="overflow: hidden; position: relative; width: 3px; height: 0px; top: 11px; left: 4px;"><textarea autocorrect="off" autocapitalize="off" spellcheck="false" tabindex="0" style="position: absolute; bottom: -1em; padding: 0px; width: 1000px; height: 1em; outline: none;"></textarea></div><div class="CodeMirror-scrollbar-filler" cm-not-content="true"></div><div class="CodeMirror-gutter-filler" cm-not-content="true"></div><div class="CodeMirror-scroll" tabindex="-1"><div class="CodeMirror-sizer" style="margin-left: 0px; margin-bottom: 0px; border-right-width: 0px; padding-right: 0px; padding-bottom: 0px;"><div style="position: relative; top: 0px;"><div class="CodeMirror-lines" role="presentation"><div role="presentation" style="position: relative; outline: none;"><div class="CodeMirror-measure"><pre><span>xxxxxxxxxx</span></pre></div><div class="CodeMirror-measure"></div><div style="position: relative; z-index: 1;"></div><div class="CodeMirror-code" role="presentation"><div class="CodeMirror-activeline" style="position: relative;"><div class="CodeMirror-activeline-background CodeMirror-linebackground"></div><div class="CodeMirror-gutter-background CodeMirror-activeline-gutter" style="left: 0px; width: 0px;"></div><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">RUST_LOG=trace /usr/libexec/proxmox/proxmox-firewall 2&gt; firewall_log_$(hostname).txt</span></pre></div></div></div></div></div></div><div style="position: absolute; height: 0px; width: 1px; border-bottom-width: 0px; border-bottom-style: solid; border-bottom-color: transparent; top: 52px;"></div><div class="CodeMirror-gutters" style="display: none; height: 52px;"></div></div></div></pre><p><span>It can be helpful to trace packet flow through the different chains in order to debug firewall rules. This can be achieved by setting nftrace to 1 for packets that you want to track. It is advisable that you do not set this flag for </span><strong><span>all</span></strong><span> packets, in the example below we only examine ICMP packets.</span>
<span>跟踪通过不同链的数据包流以便调试防火墙规则可能很有帮助。这可以通过将要跟踪的数据包的 nftrace 设置为 1 来实现。建议您不要为</span><strong><span>所有</span></strong><span>数据包设置此标志，在下面的示例中，我们仅检查 ICMP 数据包。</span></p><pre class="md-fences md-end-block ty-contain-cm modeLoaded" spellcheck="false" lang="" style="break-inside: unset;"><div class="CodeMirror cm-s-inner cm-s-null-scroll CodeMirror-wrap" lang=""><div style="overflow: hidden; position: relative; width: 3px; height: 0px; top: 11px; left: 4px;"><textarea autocorrect="off" autocapitalize="off" spellcheck="false" tabindex="0" style="position: absolute; bottom: -1em; padding: 0px; width: 1000px; height: 1em; outline: none;"></textarea></div><div class="CodeMirror-scrollbar-filler" cm-not-content="true"></div><div class="CodeMirror-gutter-filler" cm-not-content="true"></div><div class="CodeMirror-scroll" tabindex="-1"><div class="CodeMirror-sizer" style="margin-left: 0px; margin-bottom: 0px; border-right-width: 0px; padding-right: 0px; padding-bottom: 0px;"><div style="position: relative; top: 0px;"><div class="CodeMirror-lines" role="presentation"><div role="presentation" style="position: relative; outline: none;"><div class="CodeMirror-measure"><pre><span>xxxxxxxxxx</span></pre></div><div class="CodeMirror-measure"></div><div style="position: relative; z-index: 1;"></div><div class="CodeMirror-code" role="presentation" style=""><div class="CodeMirror-activeline" style="position: relative;"><div class="CodeMirror-activeline-background CodeMirror-linebackground"></div><div class="CodeMirror-gutter-background CodeMirror-activeline-gutter" style="left: 0px; width: 0px;"></div><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">#!/usr/sbin/nft -f</span></pre></div><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">table bridge tracebridge</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">delete table bridge tracebridge</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span cm-text="" cm-zwsp="">
</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">table bridge tracebridge {</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"> &nbsp;  chain trace {</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"> &nbsp; &nbsp; &nbsp;  meta l4proto icmp meta nftrace set 1</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"> &nbsp;  }</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span cm-text="" cm-zwsp="">
</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"> &nbsp;  chain prerouting {</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"> &nbsp; &nbsp; &nbsp;  type filter hook prerouting priority -350; policy accept;</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"> &nbsp; &nbsp; &nbsp;  jump trace</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"> &nbsp;  }</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span cm-text="" cm-zwsp="">
</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"> &nbsp;  chain postrouting {</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"> &nbsp; &nbsp; &nbsp;  type filter hook postrouting priority -350; policy accept;</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"> &nbsp; &nbsp; &nbsp;  jump trace</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"> &nbsp;  }</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">}</span></pre></div></div></div></div></div><div style="position: absolute; height: 0px; width: 1px; border-bottom-width: 0px; border-bottom-style: solid; border-bottom-color: transparent; top: 546px;"></div><div class="CodeMirror-gutters" style="display: none; height: 546px;"></div></div></div></pre><p><span>Saving this file, making it executable, and then running it once will create the respective tracing chains. You can then inspect the tracing output via the Proxmox VE Web UI (Firewall &gt; Log) or via nft monitor trace.</span>
<span>保存此文件，使其可执行，然后运行一次，将创建相应的跟踪链。然后，您可以通过 Proxmox VE Web UI（防火墙&gt;日志）或通过 nft 监视器跟踪检查跟踪输出。</span></p><p><span>The above example traces traffic on all bridges, which is usually where guest traffic flows through. If you want to examine host traffic, create those chains in the inet table instead of the bridge table.</span>
<span>上面的示例跟踪所有网桥上的流量，这些网桥通常是访客流量流经的地方。如果要检查主机流量，请在 inet 表（而不是桥接表）中创建这些链。</span></p><figure class='table-figure'><table><thead><tr><th><img src="data:image/png;base64,%0AiVBORw0KGgoAAAANSUhEUgAAADAAAAAwCAYAAABXAvmHAAAJhUlEQVRoge2ZWWycVxXHf+fce7/v%0Am/GaGCde4pI0aQlJC0kRtE1L00JbLIjY4QkeUB9YHhAIJFCExAsKUkE8IAFFPIDUIqhBRSDRBUqC%0ACimFFBCBpCWx02IaZ3G2SdyxPZ7vHh6+mcnSZnFjKIge6Wj8zYzvPf9z/me5d8TM+F8WfbkNuFx5%0ABcDLLf/fAEZGRmx4eNh6enqsp6fHhoeHbWRk5D9aFeSlVqHNmzfb6H33sHnT7ZQmD5GfOMax6Sm+%0APl5h1Yc+xpYtW2SBbX1ReUkRGBkZsdH77mHLW95EOv4Ms3ueJh6YYPHUFF9aljJ63z3cf//9/5FI%0AvKQIDA8P293L2yhVjjH7t51ocDiviFecF46n7XzBreChhx4qNhH5t0XjJUVgx44ddGUZ9b/vIpQD%0AoRQIWSDJAiFL6B9axo4dO4gxAmANWVDLG+Ln82URMRGhVCqRHxonlAPqFXWKC4r6IhI6OMjMzBN4%0A/4LlTUQQEZxzZ32QJAlpmrb+p16vU6vVOHXq1AWjN18AnDj0F971vrs4OnmYJVkoDA4FCPUO172I%0ACgnt7SV++4vvsGhRJx3tJbIsRVVpsUnOBBABBVFEClKYwbKr7sTM7EIUnBcA7z21k7t49x1X8JXv%0AbOWra7rw5QRtcN8PLCfvvZJvb9vJycpJpg4/hp/N0I4SMQs4Jw0A5zBXHGiCaIZIKABgpGlKjPEF%0A0TpT5pUDRXiVt99+Le03r+WzuytM1gO6pB/3+o0cbxvk8yOPMjW6i2iR2lxOjJDHSDMFogmGwzQ7%0ArRJAUpAENAGXIZq2AFzQpvkACCEQcahP+cRH3sKHn9zHXU+MM7rtGeD33NDXzaZynZU9gcezpUw9%0AX6OzIyOakkfF4QEpPG6nDRNNEA2FSgKimETSNCXPc0II57VpXhEolUqoOrxPSLOMT330Dv5SqfKD%0ANR388Y2L+caQsjITNv3pMBs3rOT56ZyZGaM+J0QUxDc0INrWUgggoRGBAOIRAt77hY1AmqaoeJxP%0AcN645jVDbNn8Hj73o8fZ/af9mEE9j9y2YRXt5YzZWmRmzjj1/BwhTXAKzitOHEbeWlc0AVwDnCv8%0AKoZzjotV33lTSL1HNKAuEtKM1169jM98/E6mTk3x4Nbd7Bk7TEdHRvAeVY+hmDqmZwx1kIkiqrhz%0AS2zL+AbNMC6l/80LgHMOEY9oQvBCks5RKpXo7JhFxbhz42pet2aQet1YtLiDJAkIDq8BHwJmwlwO%0AUaD0ojsrNKuUReIZyb9gABCHcwWFgg+0lTPyvIRToVzKWLpkMfV6REQplYvmZCj1uuBUSdJwTg8A%0AXBdoCZMOsBkQBeGi/J83gBgjmABC8AlJGsjzFLMyaXDM1etEA0VR50iCx6mSZhkiijpPjEpQD+SF%0A4WdJrTAewdCFB1CtVlFVVATnhMQnWJqC5aTBk+c5IIgWRoTgSZJAmiZAo1s7hwsppglI+fTiljeY%0AnyHkLQotKIAYI4igzpFHISQOiwEnKTEG8hhRVZw6YjRQLfJGHcF7jleqTBw8znXr12MABnv37efY%0AiSnesG4tiUsRUQwD7JIAzKsPqCqiRbVwweM04XdPjhJN+dvTBxgbn6G9q59yZx9/3HWEb33vN+zc%0A/RzOJ+w/eJLtO8Z5ZNtT7PvHIUQTvvv9X/Lc/mN0d3by3fseRLQwvWh0Fy+h8wbQ2VFG1KM+xfuA%0Aqufo8So/fejPPD/rqJys8pvf7eLAoeNMHqnw2U9+kH3jVQ5MClMzKUla5obr13HliiEMmDx6gltv%0AuY7Vr1nBQF8PJopQ9AFTt/AROFfMjCW9XTy19xB33Hodb924jr1j+/nDk3/nzTdei4jw3nfeyCOP%0Abufa1y5jzeoVrcHM8HR3dfHlr/2Q+x94jFtuuh44/9B2PplXDryYLF3STXd3e+t5UXcHY89OsOH6%0ANS2Qed7wpM1Rm50G4MGHH2P961Zy3bqreXrPP5mrzwLt5y6/cACq1eoLCKm+TN/SAebmfn8aUG83%0APYs7+cnPH+eqKwd5as8/edc7bi02847pmVkATk1VWbF8AOcca1Yv59DkqcYK0tCL02deACqVCldc%0A0YdIwLmEPM9RV6NnUZlPf3wT6oqJcePN6wHhzTeu4/CRCrfctJ4sSxBRli7pYfHEMUSU97/7Th75%0A1RP8eec+Yp5zzTVXM9DfDyogBvHS6HTJACYmJnjVoq5GFw0454gCEOnoaMfiNGZFFRFxJGkbywZ6%0Ai1NWoy9kWYmbb1gHKCHApuGbisVFGyoYUswa5OR5ftF56JIBjI6OMtDfWwAQ35jnc8AVpRXBohVq%0AUowECKqK4RBxoE0W6gvGCcEjaOEAwEQWdpgbGxujt7erOLO2mk3R8i0Wz9EiuUGz+qlKEQEUaJbI%0A4lTHmTVePKgWzpDGJGpc8CDTlEsuo88++wxXDA0UIUbAOP23KGZKjI48KnkuhcbiPbPCOBoeBikO%0ALk2VxjqNRilaAEqSZGEAbN261bZt+zW33XY7IAXXm6Ou0YhIMamaaUOl5WRrzg00viuKWWxpQUOH%0ANAZFQRpD48Xlkig0MTHBB95zG+VSylz1KCbWyDOh2XyK+56IqjWMKigkUnzWnPPFFFRRLZ29SQRU%0AELOGY4pZ6LKOlM07mZ07d/KOtw1TcB4sGkTDiDQ9K1IkrKeYmQC08d7pZLSiRBpE5s7aS0XAHFEK%0AAGY51Wr18g80Zmb33nsvX/z8XdSmj2AWOXhwkrxe46+79jB55Dh/3T2GxUhHextdXW2sXN7PNWtW%0AIQKDA71FFBoAjIgQkVg/a5+oHrU5zIznDhxk964xKpXKggAoTlWW8+OfPorlOQ//cjsDy1bS2dFO%0AW+diVly1iL6+Pqanpzl5qsL4pPHwN3/G1InDlMsZ7Z1tDA30cfWqIa5dexV9fb2YnT7UTxw4xsHJ%0Ao4yOjfOP8QOMjx/k4OQx7r777lY0zycXvJ02M4sxMjg4SL1eR0TYsGEDw8PD9PX10d7ejogUN3a1%0AGqpKCIE8z5mdnUVVqVarbN++nba2Nvbu3csDDzyAqrJ8+atb+zjn6e/vZ/Xq1axatYq1a9fS29tL%0AlmUMDQ1RKpXOm9EXvV6v1+tWr9eZnp5mZmaGWq1GjLHF62aiNZ+bnPfe45xrvTZzxMyYmZk56+LX%0AzKjX661DvHOOJElIkoRSqYT3/vLvRlW15eHCa4VxzdvmpjZDfubzuXeb3vuzqCEixBhbo0NTkyS5%0APAr9L8j/96+U/w3yCoCXW14B8HLLvwDd67nwZIEPdgAAAABJRU5ErkJggg==" referrerpolicy="no-referrer" alt="Note"></th><th><span>Be aware that this can generate a </span><strong><span>lot</span></strong><span> of log spam and slow down the performance of your networking stack significantly. 请注意，这可能会生成</span><strong><span>大量</span></strong><span>垃圾邮件日志，并显著降低网络堆栈的性能。</span></th></tr></thead><tbody><tr><td>&nbsp;</td><td>&nbsp;</td></tr></tbody></table></figure><p><span>You can remove the tracing rules via running the following command:</span>
<span>您可以通过运行以下命令来删除跟踪规则：</span></p><pre class="md-fences md-end-block ty-contain-cm modeLoaded" spellcheck="false" lang=""><div class="CodeMirror cm-s-inner cm-s-null-scroll CodeMirror-wrap" lang=""><div style="overflow: hidden; position: relative; width: 3px; height: 0px; top: 11px; left: 4px;"><textarea autocorrect="off" autocapitalize="off" spellcheck="false" tabindex="0" style="position: absolute; bottom: -1em; padding: 0px; width: 1000px; height: 1em; outline: none;"></textarea></div><div class="CodeMirror-scrollbar-filler" cm-not-content="true"></div><div class="CodeMirror-gutter-filler" cm-not-content="true"></div><div class="CodeMirror-scroll" tabindex="-1"><div class="CodeMirror-sizer" style="margin-left: 0px; margin-bottom: 0px; border-right-width: 0px; padding-right: 0px; padding-bottom: 0px;"><div style="position: relative; top: 0px;"><div class="CodeMirror-lines" role="presentation"><div role="presentation" style="position: relative; outline: none;"><div class="CodeMirror-measure"><pre><span>xxxxxxxxxx</span></pre></div><div class="CodeMirror-measure"></div><div style="position: relative; z-index: 1;"></div><div class="CodeMirror-code" role="presentation"><div class="CodeMirror-activeline" style="position: relative;"><div class="CodeMirror-activeline-background CodeMirror-linebackground"></div><div class="CodeMirror-gutter-background CodeMirror-activeline-gutter" style="left: 0px; width: 0px;"></div><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">nft delete table bridge tracebridge</span></pre></div></div></div></div></div></div><div style="position: absolute; height: 0px; width: 1px; border-bottom-width: 0px; border-bottom-style: solid; border-bottom-color: transparent; top: 26px;"></div><div class="CodeMirror-gutters" style="display: none; height: 26px;"></div></div></div></pre><h2 id='macro-definitions-宏定义'><span>Macro Definitions 宏定义</span></h2><figure class='table-figure'><table><thead><tr><th><em><span>Amanda 阿曼达</span></em><span> </span></th><th><span>Amanda Backup 阿曼达备份</span></th></tr></thead><tbody><tr><td>&nbsp;</td><td>&nbsp;</td></tr></tbody></table></figure><figure class='table-figure'><table><thead><tr><th style='text-align:left;' ><span>Action 行动</span></th><th style='text-align:left;' ><span>proto 原始</span></th><th style='text-align:left;' ><span>dport</span></th><th style='text-align:left;' ><span>sport 运动</span></th></tr></thead><tbody><tr><td style='text-align:left;' ><span>PARAM</span></td><td style='text-align:left;' ><span>udp UDP的</span></td><td style='text-align:left;' ><span>10080</span></td><td style='text-align:left;' >&nbsp;</td></tr><tr><td style='text-align:left;' ><span>PARAM</span></td><td style='text-align:left;' ><span>tcp 技术合作计划</span></td><td style='text-align:left;' ><span>10080</span></td><td style='text-align:left;' >&nbsp;</td></tr></tbody></table></figure><figure class='table-figure'><table><thead><tr><th><em><span>Auth 认证</span></em><span> </span></th><th><span>Auth (identd) traffic 身份验证 （identd） 流量</span></th></tr></thead><tbody><tr><td>&nbsp;</td><td>&nbsp;</td></tr></tbody></table></figure><figure class='table-figure'><table><thead><tr><th style='text-align:left;' ><span>Action 行动</span></th><th style='text-align:left;' ><span>proto 原始</span></th><th style='text-align:left;' ><span>dport</span></th><th style='text-align:left;' ><span>sport 运动</span></th></tr></thead><tbody><tr><td style='text-align:left;' ><span>PARAM</span></td><td style='text-align:left;' ><span>tcp 技术合作计划</span></td><td style='text-align:left;' ><span>113</span></td><td style='text-align:left;' >&nbsp;</td></tr></tbody></table></figure><figure class='table-figure'><table><thead><tr><th><em><span>BGP</span></em><span> </span></th><th><span>Border Gateway Protocol traffic 边界网关协议流量</span></th></tr></thead><tbody><tr><td>&nbsp;</td><td>&nbsp;</td></tr></tbody></table></figure><figure class='table-figure'><table><thead><tr><th style='text-align:left;' ><span>Action 行动</span></th><th style='text-align:left;' ><span>proto 原始</span></th><th style='text-align:left;' ><span>dport</span></th><th style='text-align:left;' ><span>sport 运动</span></th></tr></thead><tbody><tr><td style='text-align:left;' ><span>PARAM</span></td><td style='text-align:left;' ><span>tcp 技术合作计划</span></td><td style='text-align:left;' ><span>179</span></td><td style='text-align:left;' >&nbsp;</td></tr></tbody></table></figure><figure class='table-figure'><table><thead><tr><th><em><span>BitTorrent BitTorrent 的</span></em><span> </span></th><th><span>BitTorrent traffic for BitTorrent 3.1 and earlier BitTorrent 3.1 及更早版本的 BitTorrent 流量</span></th></tr></thead><tbody><tr><td>&nbsp;</td><td>&nbsp;</td></tr></tbody></table></figure><figure class='table-figure'><table><thead><tr><th style='text-align:left;' ><span>Action 行动</span></th><th style='text-align:left;' ><span>proto 原始</span></th><th style='text-align:left;' ><span>dport</span></th><th style='text-align:left;' ><span>sport 运动</span></th></tr></thead><tbody><tr><td style='text-align:left;' ><span>PARAM</span></td><td style='text-align:left;' ><span>tcp 技术合作计划</span></td><td style='text-align:left;' ><span>6881:6889</span></td><td style='text-align:left;' >&nbsp;</td></tr><tr><td style='text-align:left;' ><span>PARAM</span></td><td style='text-align:left;' ><span>udp UDP的</span></td><td style='text-align:left;' ><span>6881</span></td><td style='text-align:left;' >&nbsp;</td></tr></tbody></table></figure><figure class='table-figure'><table><thead><tr><th><em><span>BitTorrent32 比特洪流32</span></em><span> </span></th><th><span>BitTorrent traffic for BitTorrent 3.2 and later BitTorrent 3.2 及更高版本的 BitTorrent 流量</span></th></tr></thead><tbody><tr><td>&nbsp;</td><td>&nbsp;</td></tr></tbody></table></figure><figure class='table-figure'><table><thead><tr><th style='text-align:left;' ><span>Action 行动</span></th><th style='text-align:left;' ><span>proto 原始</span></th><th style='text-align:left;' ><span>dport</span></th><th style='text-align:left;' ><span>sport 运动</span></th></tr></thead><tbody><tr><td style='text-align:left;' ><span>PARAM</span></td><td style='text-align:left;' ><span>tcp 技术合作计划</span></td><td style='text-align:left;' ><span>6881:6999</span></td><td style='text-align:left;' >&nbsp;</td></tr><tr><td style='text-align:left;' ><span>PARAM</span></td><td style='text-align:left;' ><span>udp UDP的</span></td><td style='text-align:left;' ><span>6881</span></td><td style='text-align:left;' >&nbsp;</td></tr></tbody></table></figure><figure class='table-figure'><table><thead><tr><th><em><span>CVS</span></em><span> </span></th><th><span>Concurrent Versions System pserver traffic 并发版本 系统 pserver 流量</span></th></tr></thead><tbody><tr><td>&nbsp;</td><td>&nbsp;</td></tr></tbody></table></figure><figure class='table-figure'><table><thead><tr><th style='text-align:left;' ><span>Action 行动</span></th><th style='text-align:left;' ><span>proto 原始</span></th><th style='text-align:left;' ><span>dport</span></th><th style='text-align:left;' ><span>sport 运动</span></th></tr></thead><tbody><tr><td style='text-align:left;' ><span>PARAM</span></td><td style='text-align:left;' ><span>tcp 技术合作计划</span></td><td style='text-align:left;' ><span>2401</span></td><td style='text-align:left;' >&nbsp;</td></tr></tbody></table></figure><figure class='table-figure'><table><thead><tr><th><em><span>Ceph 塞夫</span></em><span> </span></th><th><span>Ceph Storage Cluster traffic (Ceph Monitors, OSD &amp; MDS Daemons) Ceph 存储集群流量（Ceph 监视器、OSD 和 MDS 守护程序）</span></th></tr></thead><tbody><tr><td>&nbsp;</td><td>&nbsp;</td></tr></tbody></table></figure><figure class='table-figure'><table><thead><tr><th style='text-align:left;' ><span>Action 行动</span></th><th style='text-align:left;' ><span>proto 原始</span></th><th style='text-align:left;' ><span>dport</span></th><th style='text-align:left;' ><span>sport 运动</span></th></tr></thead><tbody><tr><td style='text-align:left;' ><span>PARAM</span></td><td style='text-align:left;' ><span>tcp 技术合作计划</span></td><td style='text-align:left;' ><span>6789</span></td><td style='text-align:left;' >&nbsp;</td></tr><tr><td style='text-align:left;' ><span>PARAM</span></td><td style='text-align:left;' ><span>tcp 技术合作计划</span></td><td style='text-align:left;' ><span>3300</span></td><td style='text-align:left;' >&nbsp;</td></tr><tr><td style='text-align:left;' ><span>PARAM</span></td><td style='text-align:left;' ><span>tcp 技术合作计划</span></td><td style='text-align:left;' ><span>6800:7300</span></td><td style='text-align:left;' >&nbsp;</td></tr></tbody></table></figure><figure class='table-figure'><table><thead><tr><th><em><span>Citrix 思崔克斯</span></em><span> </span></th><th><span>Citrix/ICA traffic (ICA, ICA Browser, CGP) Citrix/ICA 流量（ICA、ICA 浏览器、CGP）</span></th></tr></thead><tbody><tr><td>&nbsp;</td><td>&nbsp;</td></tr></tbody></table></figure><figure class='table-figure'><table><thead><tr><th style='text-align:left;' ><span>Action 行动</span></th><th style='text-align:left;' ><span>proto 原始</span></th><th style='text-align:left;' ><span>dport</span></th><th style='text-align:left;' ><span>sport 运动</span></th></tr></thead><tbody><tr><td style='text-align:left;' ><span>PARAM</span></td><td style='text-align:left;' ><span>tcp 技术合作计划</span></td><td style='text-align:left;' ><span>1494</span></td><td style='text-align:left;' >&nbsp;</td></tr><tr><td style='text-align:left;' ><span>PARAM</span></td><td style='text-align:left;' ><span>udp UDP的</span></td><td style='text-align:left;' ><span>1604</span></td><td style='text-align:left;' >&nbsp;</td></tr><tr><td style='text-align:left;' ><span>PARAM</span></td><td style='text-align:left;' ><span>tcp 技术合作计划</span></td><td style='text-align:left;' ><span>2598</span></td><td style='text-align:left;' >&nbsp;</td></tr></tbody></table></figure><figure class='table-figure'><table><thead><tr><th><em><span>DAAP</span></em><span> </span></th><th><span>Digital Audio Access Protocol traffic (iTunes, Rythmbox daemons) 数字音频访问协议流量（iTunes、Rythmbox 守护程序）</span></th></tr></thead><tbody><tr><td>&nbsp;</td><td>&nbsp;</td></tr></tbody></table></figure><figure class='table-figure'><table><thead><tr><th style='text-align:left;' ><span>Action 行动</span></th><th style='text-align:left;' ><span>proto 原始</span></th><th style='text-align:left;' ><span>dport</span></th><th style='text-align:left;' ><span>sport 运动</span></th></tr></thead><tbody><tr><td style='text-align:left;' ><span>PARAM</span></td><td style='text-align:left;' ><span>tcp 技术合作计划</span></td><td style='text-align:left;' ><span>3689</span></td><td style='text-align:left;' >&nbsp;</td></tr><tr><td style='text-align:left;' ><span>PARAM</span></td><td style='text-align:left;' ><span>udp UDP的</span></td><td style='text-align:left;' ><span>3689</span></td><td style='text-align:left;' >&nbsp;</td></tr></tbody></table></figure><figure class='table-figure'><table><thead><tr><th><em><span>DCC</span></em><span> </span></th><th><span>Distributed Checksum Clearinghouse spam filtering mechanism 分布式校验和票据交换所垃圾邮件过滤机制</span></th></tr></thead><tbody><tr><td>&nbsp;</td><td>&nbsp;</td></tr></tbody></table></figure><figure class='table-figure'><table><thead><tr><th style='text-align:left;' ><span>Action 行动</span></th><th style='text-align:left;' ><span>proto 原始</span></th><th style='text-align:left;' ><span>dport</span></th><th style='text-align:left;' ><span>sport 运动</span></th></tr></thead><tbody><tr><td style='text-align:left;' ><span>PARAM</span></td><td style='text-align:left;' ><span>tcp 技术合作计划</span></td><td style='text-align:left;' ><span>6277</span></td><td style='text-align:left;' >&nbsp;</td></tr></tbody></table></figure><figure class='table-figure'><table><thead><tr><th><em><span>DHCPfwd</span></em><span> </span></th><th><span>Forwarded DHCP traffic 转发的 DHCP 流量</span></th></tr></thead><tbody><tr><td>&nbsp;</td><td>&nbsp;</td></tr></tbody></table></figure><figure class='table-figure'><table><thead><tr><th style='text-align:left;' ><span>Action 行动</span></th><th style='text-align:left;' ><span>proto 原始</span></th><th style='text-align:left;' ><span>dport</span></th><th style='text-align:left;' ><span>sport 运动</span></th></tr></thead><tbody><tr><td style='text-align:left;' ><span>PARAM</span></td><td style='text-align:left;' ><span>udp UDP的</span></td><td style='text-align:left;' ><span>67:68</span></td><td style='text-align:left;' ><span>67:68</span></td></tr></tbody></table></figure><figure class='table-figure'><table><thead><tr><th><em><span>DHCPv6 DHCPv6的</span></em><span> </span></th><th><span>DHCPv6 traffic DHCPv6 流量</span></th></tr></thead><tbody><tr><td>&nbsp;</td><td>&nbsp;</td></tr></tbody></table></figure><figure class='table-figure'><table><thead><tr><th style='text-align:left;' ><span>Action 行动</span></th><th style='text-align:left;' ><span>proto 原始</span></th><th style='text-align:left;' ><span>dport</span></th><th style='text-align:left;' ><span>sport 运动</span></th></tr></thead><tbody><tr><td style='text-align:left;' ><span>PARAM</span></td><td style='text-align:left;' ><span>udp UDP的</span></td><td style='text-align:left;' ><span>546:547</span></td><td style='text-align:left;' ><span>546:547</span></td></tr></tbody></table></figure><figure class='table-figure'><table><thead><tr><th><em><span>DNS</span></em><span> </span></th><th><span>Domain Name System traffic (upd and tcp) 域名系统流量（upd 和 tcp）</span></th></tr></thead><tbody><tr><td>&nbsp;</td><td>&nbsp;</td></tr></tbody></table></figure><figure class='table-figure'><table><thead><tr><th style='text-align:left;' ><span>Action 行动</span></th><th style='text-align:left;' ><span>proto 原始</span></th><th style='text-align:left;' ><span>dport</span></th><th style='text-align:left;' ><span>sport 运动</span></th></tr></thead><tbody><tr><td style='text-align:left;' ><span>PARAM</span></td><td style='text-align:left;' ><span>udp UDP的</span></td><td style='text-align:left;' ><span>53</span></td><td style='text-align:left;' >&nbsp;</td></tr><tr><td style='text-align:left;' ><span>PARAM</span></td><td style='text-align:left;' ><span>tcp 技术合作计划</span></td><td style='text-align:left;' ><span>53</span></td><td style='text-align:left;' >&nbsp;</td></tr></tbody></table></figure><figure class='table-figure'><table><thead><tr><th><em><span>Distcc</span></em><span> </span></th><th><span>Distributed Compiler service 分布式编译器服务</span></th></tr></thead><tbody><tr><td>&nbsp;</td><td>&nbsp;</td></tr></tbody></table></figure><figure class='table-figure'><table><thead><tr><th style='text-align:left;' ><span>Action 行动</span></th><th style='text-align:left;' ><span>proto 原始</span></th><th style='text-align:left;' ><span>dport</span></th><th style='text-align:left;' ><span>sport 运动</span></th></tr></thead><tbody><tr><td style='text-align:left;' ><span>PARAM</span></td><td style='text-align:left;' ><span>tcp 技术合作计划</span></td><td style='text-align:left;' ><span>3632</span></td><td style='text-align:left;' >&nbsp;</td></tr></tbody></table></figure><figure class='table-figure'><table><thead><tr><th><em><span>FTP</span></em><span> </span></th><th><span>File Transfer Protocol 文件传输协议</span></th></tr></thead><tbody><tr><td>&nbsp;</td><td>&nbsp;</td></tr></tbody></table></figure><figure class='table-figure'><table><thead><tr><th style='text-align:left;' ><span>Action 行动</span></th><th style='text-align:left;' ><span>proto 原始</span></th><th style='text-align:left;' ><span>dport</span></th><th style='text-align:left;' ><span>sport 运动</span></th></tr></thead><tbody><tr><td style='text-align:left;' ><span>PARAM</span></td><td style='text-align:left;' ><span>tcp 技术合作计划</span></td><td style='text-align:left;' ><span>21</span></td><td style='text-align:left;' >&nbsp;</td></tr></tbody></table></figure><figure class='table-figure'><table><thead><tr><th><em><span>Finger 手指</span></em><span> </span></th><th><span>Finger protocol (RFC 742) 手指协议 （RFC 742）</span></th></tr></thead><tbody><tr><td>&nbsp;</td><td>&nbsp;</td></tr></tbody></table></figure><figure class='table-figure'><table><thead><tr><th style='text-align:left;' ><span>Action 行动</span></th><th style='text-align:left;' ><span>proto 原始</span></th><th style='text-align:left;' ><span>dport</span></th><th style='text-align:left;' ><span>sport 运动</span></th></tr></thead><tbody><tr><td style='text-align:left;' ><span>PARAM</span></td><td style='text-align:left;' ><span>tcp 技术合作计划</span></td><td style='text-align:left;' ><span>79</span></td><td style='text-align:left;' >&nbsp;</td></tr></tbody></table></figure><figure class='table-figure'><table><thead><tr><th><em><span>GNUnet</span></em><span> </span></th><th><span>GNUnet secure peer-to-peer networking traffic GNUnet 保护点对点网络流量</span></th></tr></thead><tbody><tr><td>&nbsp;</td><td>&nbsp;</td></tr></tbody></table></figure><figure class='table-figure'><table><thead><tr><th style='text-align:left;' ><span>Action 行动</span></th><th style='text-align:left;' ><span>proto 原始</span></th><th style='text-align:left;' ><span>dport</span></th><th style='text-align:left;' ><span>sport 运动</span></th></tr></thead><tbody><tr><td style='text-align:left;' ><span>PARAM</span></td><td style='text-align:left;' ><span>tcp 技术合作计划</span></td><td style='text-align:left;' ><span>2086</span></td><td style='text-align:left;' >&nbsp;</td></tr><tr><td style='text-align:left;' ><span>PARAM</span></td><td style='text-align:left;' ><span>udp UDP的</span></td><td style='text-align:left;' ><span>2086</span></td><td style='text-align:left;' >&nbsp;</td></tr><tr><td style='text-align:left;' ><span>PARAM</span></td><td style='text-align:left;' ><span>tcp 技术合作计划</span></td><td style='text-align:left;' ><span>1080</span></td><td style='text-align:left;' >&nbsp;</td></tr><tr><td style='text-align:left;' ><span>PARAM</span></td><td style='text-align:left;' ><span>udp UDP的</span></td><td style='text-align:left;' ><span>1080</span></td><td style='text-align:left;' >&nbsp;</td></tr></tbody></table></figure><figure class='table-figure'><table><thead><tr><th><em><span>GRE</span></em><span> </span></th><th><span>Generic Routing Encapsulation tunneling protocol 通用路由封装隧道协议</span></th></tr></thead><tbody><tr><td>&nbsp;</td><td>&nbsp;</td></tr></tbody></table></figure><figure class='table-figure'><table><thead><tr><th style='text-align:left;' ><span>Action 行动</span></th><th style='text-align:left;' ><span>proto 原始</span></th><th style='text-align:left;' ><span>dport</span></th><th style='text-align:left;' ><span>sport 运动</span></th></tr></thead><tbody><tr><td style='text-align:left;' ><span>PARAM</span></td><td style='text-align:left;' ><span>47</span></td><td style='text-align:left;' >&nbsp;</td><td style='text-align:left;' >&nbsp;</td></tr></tbody></table></figure><figure class='table-figure'><table><thead><tr><th><em><span>Git</span></em><span> </span></th><th><span>Git distributed revision control traffic Git 分布式版本控制流量</span></th></tr></thead><tbody><tr><td>&nbsp;</td><td>&nbsp;</td></tr></tbody></table></figure><figure class='table-figure'><table><thead><tr><th style='text-align:left;' ><span>Action 行动</span></th><th style='text-align:left;' ><span>proto 原始</span></th><th style='text-align:left;' ><span>dport</span></th><th style='text-align:left;' ><span>sport 运动</span></th></tr></thead><tbody><tr><td style='text-align:left;' ><span>PARAM</span></td><td style='text-align:left;' ><span>tcp 技术合作计划</span></td><td style='text-align:left;' ><span>9418</span></td><td style='text-align:left;' >&nbsp;</td></tr></tbody></table></figure><figure class='table-figure'><table><thead><tr><th><em><span>HKP</span></em><span> </span></th><th><span>OpenPGP HTTP key server protocol traffic OpenPGP HTTP 密钥服务器协议流量</span></th></tr></thead><tbody><tr><td>&nbsp;</td><td>&nbsp;</td></tr></tbody></table></figure><figure class='table-figure'><table><thead><tr><th style='text-align:left;' ><span>Action 行动</span></th><th style='text-align:left;' ><span>proto 原始</span></th><th style='text-align:left;' ><span>dport</span></th><th style='text-align:left;' ><span>sport 运动</span></th></tr></thead><tbody><tr><td style='text-align:left;' ><span>PARAM</span></td><td style='text-align:left;' ><span>tcp 技术合作计划</span></td><td style='text-align:left;' ><span>11371</span></td><td style='text-align:left;' >&nbsp;</td></tr></tbody></table></figure><figure class='table-figure'><table><thead><tr><th><em><span>HTTP</span></em><span> </span></th><th><span>Hypertext Transfer Protocol (WWW) 超文本传输协议 （WWW）</span></th></tr></thead><tbody><tr><td>&nbsp;</td><td>&nbsp;</td></tr></tbody></table></figure><figure class='table-figure'><table><thead><tr><th style='text-align:left;' ><span>Action 行动</span></th><th style='text-align:left;' ><span>proto 原始</span></th><th style='text-align:left;' ><span>dport</span></th><th style='text-align:left;' ><span>sport 运动</span></th></tr></thead><tbody><tr><td style='text-align:left;' ><span>PARAM</span></td><td style='text-align:left;' ><span>tcp 技术合作计划</span></td><td style='text-align:left;' ><span>80</span></td><td style='text-align:left;' >&nbsp;</td></tr></tbody></table></figure><figure class='table-figure'><table><thead><tr><th><em><span>HTTPS</span></em><span> </span></th><th><span>Hypertext Transfer Protocol (WWW) over SSL SSL上的超文本传输协议（WWW）</span></th></tr></thead><tbody><tr><td>&nbsp;</td><td>&nbsp;</td></tr></tbody></table></figure><figure class='table-figure'><table><thead><tr><th style='text-align:left;' ><span>Action 行动</span></th><th style='text-align:left;' ><span>proto 原始</span></th><th style='text-align:left;' ><span>dport</span></th><th style='text-align:left;' ><span>sport 运动</span></th></tr></thead><tbody><tr><td style='text-align:left;' ><span>PARAM</span></td><td style='text-align:left;' ><span>tcp 技术合作计划</span></td><td style='text-align:left;' ><span>443</span></td><td style='text-align:left;' >&nbsp;</td></tr></tbody></table></figure><figure class='table-figure'><table><thead><tr><th><em><span>ICPV2</span></em><span> </span></th><th><span>Internet Cache Protocol V2 (Squid) traffic Internet 缓存协议 V2 （Squid） 流量</span></th></tr></thead><tbody><tr><td>&nbsp;</td><td>&nbsp;</td></tr></tbody></table></figure><figure class='table-figure'><table><thead><tr><th style='text-align:left;' ><span>Action 行动</span></th><th style='text-align:left;' ><span>proto 原始</span></th><th style='text-align:left;' ><span>dport</span></th><th style='text-align:left;' ><span>sport 运动</span></th></tr></thead><tbody><tr><td style='text-align:left;' ><span>PARAM</span></td><td style='text-align:left;' ><span>udp UDP的</span></td><td style='text-align:left;' ><span>3130</span></td><td style='text-align:left;' >&nbsp;</td></tr></tbody></table></figure><figure class='table-figure'><table><thead><tr><th><em><span>ICQ</span></em><span> </span></th><th><span>AOL Instant Messenger traffic AOL Instant Messenger流量</span></th></tr></thead><tbody><tr><td>&nbsp;</td><td>&nbsp;</td></tr></tbody></table></figure><figure class='table-figure'><table><thead><tr><th style='text-align:left;' ><span>Action 行动</span></th><th style='text-align:left;' ><span>proto 原始</span></th><th style='text-align:left;' ><span>dport</span></th><th style='text-align:left;' ><span>sport 运动</span></th></tr></thead><tbody><tr><td style='text-align:left;' ><span>PARAM</span></td><td style='text-align:left;' ><span>tcp 技术合作计划</span></td><td style='text-align:left;' ><span>5190</span></td><td style='text-align:left;' >&nbsp;</td></tr></tbody></table></figure><figure class='table-figure'><table><thead><tr><th><em><span>IMAP</span></em><span> </span></th><th><span>Internet Message Access Protocol Internet 消息访问协议</span></th></tr></thead><tbody><tr><td>&nbsp;</td><td>&nbsp;</td></tr></tbody></table></figure><figure class='table-figure'><table><thead><tr><th style='text-align:left;' ><span>Action 行动</span></th><th style='text-align:left;' ><span>proto 原始</span></th><th style='text-align:left;' ><span>dport</span></th><th style='text-align:left;' ><span>sport 运动</span></th></tr></thead><tbody><tr><td style='text-align:left;' ><span>PARAM</span></td><td style='text-align:left;' ><span>tcp 技术合作计划</span></td><td style='text-align:left;' ><span>143</span></td><td style='text-align:left;' >&nbsp;</td></tr></tbody></table></figure><figure class='table-figure'><table><thead><tr><th><em><span>IMAPS</span></em><span> </span></th><th><span>Internet Message Access Protocol over SSL 基于 SSL 的 Internet 消息访问协议</span></th></tr></thead><tbody><tr><td>&nbsp;</td><td>&nbsp;</td></tr></tbody></table></figure><figure class='table-figure'><table><thead><tr><th style='text-align:left;' ><span>Action 行动</span></th><th style='text-align:left;' ><span>proto 原始</span></th><th style='text-align:left;' ><span>dport</span></th><th style='text-align:left;' ><span>sport 运动</span></th></tr></thead><tbody><tr><td style='text-align:left;' ><span>PARAM</span></td><td style='text-align:left;' ><span>tcp 技术合作计划</span></td><td style='text-align:left;' ><span>993</span></td><td style='text-align:left;' >&nbsp;</td></tr></tbody></table></figure><figure class='table-figure'><table><thead><tr><th><em><span>IPIP</span></em><span> </span></th><th><span>IPIP capsulation traffic IPIP 封装流量</span></th></tr></thead><tbody><tr><td>&nbsp;</td><td>&nbsp;</td></tr></tbody></table></figure><figure class='table-figure'><table><thead><tr><th style='text-align:left;' ><span>Action 行动</span></th><th style='text-align:left;' ><span>proto 原始</span></th><th style='text-align:left;' ><span>dport</span></th><th style='text-align:left;' ><span>sport 运动</span></th></tr></thead><tbody><tr><td style='text-align:left;' ><span>PARAM</span></td><td style='text-align:left;' ><span>94</span></td><td style='text-align:left;' >&nbsp;</td><td style='text-align:left;' >&nbsp;</td></tr></tbody></table></figure><figure class='table-figure'><table><thead><tr><th><em><span>IPsec</span></em><span> </span></th><th><span>IPsec traffic IPsec 流量</span></th></tr></thead><tbody><tr><td>&nbsp;</td><td>&nbsp;</td></tr></tbody></table></figure><figure class='table-figure'><table><thead><tr><th style='text-align:left;' ><span>Action 行动</span></th><th style='text-align:left;' ><span>proto 原始</span></th><th style='text-align:left;' ><span>dport</span></th><th style='text-align:left;' ><span>sport 运动</span></th></tr></thead><tbody><tr><td style='text-align:left;' ><span>PARAM</span></td><td style='text-align:left;' ><span>udp UDP的</span></td><td style='text-align:left;' ><span>500</span></td><td style='text-align:left;' ><span>500</span></td></tr><tr><td style='text-align:left;' ><span>PARAM</span></td><td style='text-align:left;' ><span>50</span></td><td style='text-align:left;' >&nbsp;</td><td style='text-align:left;' >&nbsp;</td></tr></tbody></table></figure><figure class='table-figure'><table><thead><tr><th><em><span>IPsecah 伊夫塞卡</span></em><span> </span></th><th><span>IPsec authentication (AH) traffic IPsec 身份验证 （AH） 流量</span></th></tr></thead><tbody><tr><td>&nbsp;</td><td>&nbsp;</td></tr></tbody></table></figure><figure class='table-figure'><table><thead><tr><th style='text-align:left;' ><span>Action 行动</span></th><th style='text-align:left;' ><span>proto 原始</span></th><th style='text-align:left;' ><span>dport</span></th><th style='text-align:left;' ><span>sport 运动</span></th></tr></thead><tbody><tr><td style='text-align:left;' ><span>PARAM</span></td><td style='text-align:left;' ><span>udp UDP的</span></td><td style='text-align:left;' ><span>500</span></td><td style='text-align:left;' ><span>500</span></td></tr><tr><td style='text-align:left;' ><span>PARAM</span></td><td style='text-align:left;' ><span>51</span></td><td style='text-align:left;' >&nbsp;</td><td style='text-align:left;' >&nbsp;</td></tr></tbody></table></figure><figure class='table-figure'><table><thead><tr><th><em><span>IPsecnat</span></em><span> </span></th><th><span>IPsec traffic and Nat-Traversal IPsec 流量和 Nat-Traversal</span></th></tr></thead><tbody><tr><td>&nbsp;</td><td>&nbsp;</td></tr></tbody></table></figure><figure class='table-figure'><table><thead><tr><th style='text-align:left;' ><span>Action 行动</span></th><th style='text-align:left;' ><span>proto 原始</span></th><th style='text-align:left;' ><span>dport</span></th><th style='text-align:left;' ><span>sport 运动</span></th></tr></thead><tbody><tr><td style='text-align:left;' ><span>PARAM</span></td><td style='text-align:left;' ><span>udp UDP的</span></td><td style='text-align:left;' ><span>500</span></td><td style='text-align:left;' >&nbsp;</td></tr><tr><td style='text-align:left;' ><span>PARAM</span></td><td style='text-align:left;' ><span>udp UDP的</span></td><td style='text-align:left;' ><span>4500</span></td><td style='text-align:left;' >&nbsp;</td></tr><tr><td style='text-align:left;' ><span>PARAM</span></td><td style='text-align:left;' ><span>50</span></td><td style='text-align:left;' >&nbsp;</td><td style='text-align:left;' >&nbsp;</td></tr></tbody></table></figure><figure class='table-figure'><table><thead><tr><th><em><span>IRC</span></em><span> </span></th><th><span>Internet Relay Chat traffic Internet 中继聊天流量</span></th></tr></thead><tbody><tr><td>&nbsp;</td><td>&nbsp;</td></tr></tbody></table></figure><figure class='table-figure'><table><thead><tr><th style='text-align:left;' ><span>Action 行动</span></th><th style='text-align:left;' ><span>proto 原始</span></th><th style='text-align:left;' ><span>dport</span></th><th style='text-align:left;' ><span>sport 运动</span></th></tr></thead><tbody><tr><td style='text-align:left;' ><span>PARAM</span></td><td style='text-align:left;' ><span>tcp 技术合作计划</span></td><td style='text-align:left;' ><span>6667</span></td><td style='text-align:left;' >&nbsp;</td></tr></tbody></table></figure><figure class='table-figure'><table><thead><tr><th><em><span>Jetdirect 捷特直接</span></em><span> </span></th><th><span>HP Jetdirect printing HP Jetdirect 打印</span></th></tr></thead><tbody><tr><td>&nbsp;</td><td>&nbsp;</td></tr></tbody></table></figure><figure class='table-figure'><table><thead><tr><th style='text-align:left;' ><span>Action 行动</span></th><th style='text-align:left;' ><span>proto 原始</span></th><th style='text-align:left;' ><span>dport</span></th><th style='text-align:left;' ><span>sport 运动</span></th></tr></thead><tbody><tr><td style='text-align:left;' ><span>PARAM</span></td><td style='text-align:left;' ><span>tcp 技术合作计划</span></td><td style='text-align:left;' ><span>9100</span></td><td style='text-align:left;' >&nbsp;</td></tr></tbody></table></figure><figure class='table-figure'><table><thead><tr><th><em><span>L2TP</span></em><span> </span></th><th><span>Layer 2 Tunneling Protocol traffic 第 2 层隧道协议流量</span></th></tr></thead><tbody><tr><td>&nbsp;</td><td>&nbsp;</td></tr></tbody></table></figure><figure class='table-figure'><table><thead><tr><th style='text-align:left;' ><span>Action 行动</span></th><th style='text-align:left;' ><span>proto 原始</span></th><th style='text-align:left;' ><span>dport</span></th><th style='text-align:left;' ><span>sport 运动</span></th></tr></thead><tbody><tr><td style='text-align:left;' ><span>PARAM</span></td><td style='text-align:left;' ><span>udp UDP的</span></td><td style='text-align:left;' ><span>1701</span></td><td style='text-align:left;' >&nbsp;</td></tr></tbody></table></figure><figure class='table-figure'><table><thead><tr><th><em><span>LDAP</span></em><span> </span></th><th><span>Lightweight Directory Access Protocol traffic 轻量级目录访问协议流量</span></th></tr></thead><tbody><tr><td>&nbsp;</td><td>&nbsp;</td></tr></tbody></table></figure><figure class='table-figure'><table><thead><tr><th style='text-align:left;' ><span>Action 行动</span></th><th style='text-align:left;' ><span>proto 原始</span></th><th style='text-align:left;' ><span>dport</span></th><th style='text-align:left;' ><span>sport 运动</span></th></tr></thead><tbody><tr><td style='text-align:left;' ><span>PARAM</span></td><td style='text-align:left;' ><span>tcp 技术合作计划</span></td><td style='text-align:left;' ><span>389</span></td><td style='text-align:left;' >&nbsp;</td></tr></tbody></table></figure><figure class='table-figure'><table><thead><tr><th><em><span>LDAPS</span></em><span> </span></th><th><span>Secure Lightweight Directory Access Protocol traffic 保护轻量级目录访问协议流量</span></th></tr></thead><tbody><tr><td>&nbsp;</td><td>&nbsp;</td></tr></tbody></table></figure><figure class='table-figure'><table><thead><tr><th style='text-align:left;' ><span>Action 行动</span></th><th style='text-align:left;' ><span>proto 原始</span></th><th style='text-align:left;' ><span>dport</span></th><th style='text-align:left;' ><span>sport 运动</span></th></tr></thead><tbody><tr><td style='text-align:left;' ><span>PARAM</span></td><td style='text-align:left;' ><span>tcp 技术合作计划</span></td><td style='text-align:left;' ><span>636</span></td><td style='text-align:left;' >&nbsp;</td></tr></tbody></table></figure><figure class='table-figure'><table><thead><tr><th><em><span>MDNS</span></em><span> </span></th><th><span>Multicast DNS 组播 DNS</span></th></tr></thead><tbody><tr><td>&nbsp;</td><td>&nbsp;</td></tr></tbody></table></figure><figure class='table-figure'><table><thead><tr><th style='text-align:left;' ><span>Action 行动</span></th><th style='text-align:left;' ><span>proto 原始</span></th><th style='text-align:left;' ><span>dport</span></th><th style='text-align:left;' ><span>sport 运动</span></th></tr></thead><tbody><tr><td style='text-align:left;' ><span>PARAM</span></td><td style='text-align:left;' ><span>udp UDP的</span></td><td style='text-align:left;' ><span>5353</span></td><td style='text-align:left;' >&nbsp;</td></tr></tbody></table></figure><figure class='table-figure'><table><thead><tr><th><em><span>MSNP</span></em><span> </span></th><th><span>Microsoft Notification Protocol Microsoft 通知协议</span></th></tr></thead><tbody><tr><td>&nbsp;</td><td>&nbsp;</td></tr></tbody></table></figure><figure class='table-figure'><table><thead><tr><th style='text-align:left;' ><span>Action 行动</span></th><th style='text-align:left;' ><span>proto 原始</span></th><th style='text-align:left;' ><span>dport</span></th><th style='text-align:left;' ><span>sport 运动</span></th></tr></thead><tbody><tr><td style='text-align:left;' ><span>PARAM</span></td><td style='text-align:left;' ><span>tcp 技术合作计划</span></td><td style='text-align:left;' ><span>1863</span></td><td style='text-align:left;' >&nbsp;</td></tr></tbody></table></figure><figure class='table-figure'><table><thead><tr><th><em><span>MSSQL</span></em><span> </span></th><th><span>Microsoft SQL Server</span></th></tr></thead><tbody><tr><td>&nbsp;</td><td>&nbsp;</td></tr></tbody></table></figure><figure class='table-figure'><table><thead><tr><th style='text-align:left;' ><span>Action 行动</span></th><th style='text-align:left;' ><span>proto 原始</span></th><th style='text-align:left;' ><span>dport</span></th><th style='text-align:left;' ><span>sport 运动</span></th></tr></thead><tbody><tr><td style='text-align:left;' ><span>PARAM</span></td><td style='text-align:left;' ><span>tcp 技术合作计划</span></td><td style='text-align:left;' ><span>1433</span></td><td style='text-align:left;' >&nbsp;</td></tr></tbody></table></figure><figure class='table-figure'><table><thead><tr><th><em><span>Mail 邮件</span></em><span> </span></th><th><span>Mail traffic (SMTP, SMTPS, Submission) 邮件流量（SMTP、SMTPS、提交）</span></th></tr></thead><tbody><tr><td>&nbsp;</td><td>&nbsp;</td></tr></tbody></table></figure><figure class='table-figure'><table><thead><tr><th style='text-align:left;' ><span>Action 行动</span></th><th style='text-align:left;' ><span>proto 原始</span></th><th style='text-align:left;' ><span>dport</span></th><th style='text-align:left;' ><span>sport 运动</span></th></tr></thead><tbody><tr><td style='text-align:left;' ><span>PARAM</span></td><td style='text-align:left;' ><span>tcp 技术合作计划</span></td><td style='text-align:left;' ><span>25</span></td><td style='text-align:left;' >&nbsp;</td></tr><tr><td style='text-align:left;' ><span>PARAM</span></td><td style='text-align:left;' ><span>tcp 技术合作计划</span></td><td style='text-align:left;' ><span>465</span></td><td style='text-align:left;' >&nbsp;</td></tr><tr><td style='text-align:left;' ><span>PARAM</span></td><td style='text-align:left;' ><span>tcp 技术合作计划</span></td><td style='text-align:left;' ><span>587</span></td><td style='text-align:left;' >&nbsp;</td></tr></tbody></table></figure><figure class='table-figure'><table><thead><tr><th><em><span>Munin 穆宁</span></em><span> </span></th><th><span>Munin networked resource monitoring traffic Munin 网络资源监控流量</span></th></tr></thead><tbody><tr><td>&nbsp;</td><td>&nbsp;</td></tr></tbody></table></figure><figure class='table-figure'><table><thead><tr><th style='text-align:left;' ><span>Action 行动</span></th><th style='text-align:left;' ><span>proto 原始</span></th><th style='text-align:left;' ><span>dport</span></th><th style='text-align:left;' ><span>sport 运动</span></th></tr></thead><tbody><tr><td style='text-align:left;' ><span>PARAM</span></td><td style='text-align:left;' ><span>tcp 技术合作计划</span></td><td style='text-align:left;' ><span>4949</span></td><td style='text-align:left;' >&nbsp;</td></tr></tbody></table></figure><figure class='table-figure'><table><thead><tr><th><em><span>MySQL MySQL的</span></em><span> </span></th><th><span>MySQL server MySQL服务器</span></th></tr></thead><tbody><tr><td>&nbsp;</td><td>&nbsp;</td></tr></tbody></table></figure><figure class='table-figure'><table><thead><tr><th style='text-align:left;' ><span>Action 行动</span></th><th style='text-align:left;' ><span>proto 原始</span></th><th style='text-align:left;' ><span>dport</span></th><th style='text-align:left;' ><span>sport 运动</span></th></tr></thead><tbody><tr><td style='text-align:left;' ><span>PARAM</span></td><td style='text-align:left;' ><span>tcp 技术合作计划</span></td><td style='text-align:left;' ><span>3306</span></td><td style='text-align:left;' >&nbsp;</td></tr></tbody></table></figure><figure class='table-figure'><table><thead><tr><th><em><span>NNTP</span></em><span> </span></th><th><span>NNTP traffic (Usenet). NNTP 流量 （Usenet）。</span></th></tr></thead><tbody><tr><td>&nbsp;</td><td>&nbsp;</td></tr></tbody></table></figure><figure class='table-figure'><table><thead><tr><th style='text-align:left;' ><span>Action 行动</span></th><th style='text-align:left;' ><span>proto 原始</span></th><th style='text-align:left;' ><span>dport</span></th><th style='text-align:left;' ><span>sport 运动</span></th></tr></thead><tbody><tr><td style='text-align:left;' ><span>PARAM</span></td><td style='text-align:left;' ><span>tcp 技术合作计划</span></td><td style='text-align:left;' ><span>119</span></td><td style='text-align:left;' >&nbsp;</td></tr></tbody></table></figure><figure class='table-figure'><table><thead><tr><th><em><span>NNTPS</span></em><span> </span></th><th><span>Encrypted NNTP traffic (Usenet) 加密的 NNTP 流量 （Usenet）</span></th></tr></thead><tbody><tr><td>&nbsp;</td><td>&nbsp;</td></tr></tbody></table></figure><figure class='table-figure'><table><thead><tr><th style='text-align:left;' ><span>Action 行动</span></th><th style='text-align:left;' ><span>proto 原始</span></th><th style='text-align:left;' ><span>dport</span></th><th style='text-align:left;' ><span>sport 运动</span></th></tr></thead><tbody><tr><td style='text-align:left;' ><span>PARAM</span></td><td style='text-align:left;' ><span>tcp 技术合作计划</span></td><td style='text-align:left;' ><span>563</span></td><td style='text-align:left;' >&nbsp;</td></tr></tbody></table></figure><figure class='table-figure'><table><thead><tr><th><em><span>NTP</span></em><span> </span></th><th><span>Network Time Protocol (ntpd) 网络时间协议 （ntpd）</span></th></tr></thead><tbody><tr><td>&nbsp;</td><td>&nbsp;</td></tr></tbody></table></figure><figure class='table-figure'><table><thead><tr><th style='text-align:left;' ><span>Action 行动</span></th><th style='text-align:left;' ><span>proto 原始</span></th><th style='text-align:left;' ><span>dport</span></th><th style='text-align:left;' ><span>sport 运动</span></th></tr></thead><tbody><tr><td style='text-align:left;' ><span>PARAM</span></td><td style='text-align:left;' ><span>udp UDP的</span></td><td style='text-align:left;' ><span>123</span></td><td style='text-align:left;' >&nbsp;</td></tr></tbody></table></figure><figure class='table-figure'><table><thead><tr><th><em><span>NeighborDiscovery 邻居发现</span></em><span> </span></th><th><span>IPv6 neighbor solicitation, neighbor and router advertisement IPv6 邻居请求、邻居和路由器通告</span></th></tr></thead><tbody><tr><td>&nbsp;</td><td>&nbsp;</td></tr></tbody></table></figure><figure class='table-figure'><table><thead><tr><th style='text-align:left;' ><span>Action 行动</span></th><th style='text-align:left;' ><span>proto 原始</span></th><th style='text-align:left;' ><span>dport</span></th><th style='text-align:left;' ><span>sport 运动</span></th></tr></thead><tbody><tr><td style='text-align:left;' ><span>PARAM</span></td><td style='text-align:left;' ><span>icmpv6</span></td><td style='text-align:left;' ><span>router-solicitation 路由器请求</span></td><td style='text-align:left;' >&nbsp;</td></tr><tr><td style='text-align:left;' ><span>PARAM</span></td><td style='text-align:left;' ><span>icmpv6</span></td><td style='text-align:left;' ><span>router-advertisement 路由器通告</span></td><td style='text-align:left;' >&nbsp;</td></tr><tr><td style='text-align:left;' ><span>PARAM</span></td><td style='text-align:left;' ><span>icmpv6</span></td><td style='text-align:left;' ><span>neighbor-solicitation 邻居招揽</span></td><td style='text-align:left;' >&nbsp;</td></tr><tr><td style='text-align:left;' ><span>PARAM</span></td><td style='text-align:left;' ><span>icmpv6</span></td><td style='text-align:left;' ><span>neighbor-advertisement 邻居广告</span></td><td style='text-align:left;' >&nbsp;</td></tr></tbody></table></figure><figure class='table-figure'><table><thead><tr><th><em><span>OSPF</span></em><span> </span></th><th><span>OSPF multicast traffic OSPF 组播流量</span></th></tr></thead><tbody><tr><td>&nbsp;</td><td>&nbsp;</td></tr></tbody></table></figure><figure class='table-figure'><table><thead><tr><th style='text-align:left;' ><span>Action 行动</span></th><th style='text-align:left;' ><span>proto 原始</span></th><th style='text-align:left;' ><span>dport</span></th><th style='text-align:left;' ><span>sport 运动</span></th></tr></thead><tbody><tr><td style='text-align:left;' ><span>PARAM</span></td><td style='text-align:left;' ><span>89</span></td><td style='text-align:left;' >&nbsp;</td><td style='text-align:left;' >&nbsp;</td></tr></tbody></table></figure><figure class='table-figure'><table><thead><tr><th><em><span>OpenVPN 开放VPN</span></em><span> </span></th><th><span>OpenVPN traffic OpenVPN 流量</span></th></tr></thead><tbody><tr><td>&nbsp;</td><td>&nbsp;</td></tr></tbody></table></figure><figure class='table-figure'><table><thead><tr><th style='text-align:left;' ><span>Action 行动</span></th><th style='text-align:left;' ><span>proto 原始</span></th><th style='text-align:left;' ><span>dport</span></th><th style='text-align:left;' ><span>sport 运动</span></th></tr></thead><tbody><tr><td style='text-align:left;' ><span>PARAM</span></td><td style='text-align:left;' ><span>udp UDP的</span></td><td style='text-align:left;' ><span>1194</span></td><td style='text-align:left;' >&nbsp;</td></tr></tbody></table></figure><figure class='table-figure'><table><thead><tr><th><em><span>PCA</span></em><span> </span></th><th><span>Symantec PCAnywere (tm) 赛门铁克 PCAnywere （tm）</span></th></tr></thead><tbody><tr><td>&nbsp;</td><td>&nbsp;</td></tr></tbody></table></figure><figure class='table-figure'><table><thead><tr><th style='text-align:left;' ><span>Action 行动</span></th><th style='text-align:left;' ><span>proto 原始</span></th><th style='text-align:left;' ><span>dport</span></th><th style='text-align:left;' ><span>sport 运动</span></th></tr></thead><tbody><tr><td style='text-align:left;' ><span>PARAM</span></td><td style='text-align:left;' ><span>udp UDP的</span></td><td style='text-align:left;' ><span>5632</span></td><td style='text-align:left;' >&nbsp;</td></tr><tr><td style='text-align:left;' ><span>PARAM</span></td><td style='text-align:left;' ><span>tcp 技术合作计划</span></td><td style='text-align:left;' ><span>5631</span></td><td style='text-align:left;' >&nbsp;</td></tr></tbody></table></figure><figure class='table-figure'><table><thead><tr><th><em><span>PMG</span></em><span> </span></th><th><span>Proxmox Mail Gateway web interface Proxmox Mail Gateway Web 界面</span></th></tr></thead><tbody><tr><td>&nbsp;</td><td>&nbsp;</td></tr></tbody></table></figure><figure class='table-figure'><table><thead><tr><th style='text-align:left;' ><span>Action 行动</span></th><th style='text-align:left;' ><span>proto 原始</span></th><th style='text-align:left;' ><span>dport</span></th><th style='text-align:left;' ><span>sport 运动</span></th></tr></thead><tbody><tr><td style='text-align:left;' ><span>PARAM</span></td><td style='text-align:left;' ><span>tcp 技术合作计划</span></td><td style='text-align:left;' ><span>8006</span></td><td style='text-align:left;' >&nbsp;</td></tr></tbody></table></figure><figure class='table-figure'><table><thead><tr><th><em><span>POP3</span></em><span> </span></th><th><span>POP3 traffic POP3 流量</span></th></tr></thead><tbody><tr><td>&nbsp;</td><td>&nbsp;</td></tr></tbody></table></figure><figure class='table-figure'><table><thead><tr><th style='text-align:left;' ><span>Action 行动</span></th><th style='text-align:left;' ><span>proto 原始</span></th><th style='text-align:left;' ><span>dport</span></th><th style='text-align:left;' ><span>sport 运动</span></th></tr></thead><tbody><tr><td style='text-align:left;' ><span>PARAM</span></td><td style='text-align:left;' ><span>tcp 技术合作计划</span></td><td style='text-align:left;' ><span>110</span></td><td style='text-align:left;' >&nbsp;</td></tr></tbody></table></figure><figure class='table-figure'><table><thead><tr><th><em><span>POP3S</span></em><span> </span></th><th><span>Encrypted POP3 traffic 加密的 POP3 流量</span></th></tr></thead><tbody><tr><td>&nbsp;</td><td>&nbsp;</td></tr></tbody></table></figure><figure class='table-figure'><table><thead><tr><th style='text-align:left;' ><span>Action 行动</span></th><th style='text-align:left;' ><span>proto 原始</span></th><th style='text-align:left;' ><span>dport</span></th><th style='text-align:left;' ><span>sport 运动</span></th></tr></thead><tbody><tr><td style='text-align:left;' ><span>PARAM</span></td><td style='text-align:left;' ><span>tcp 技术合作计划</span></td><td style='text-align:left;' ><span>995</span></td><td style='text-align:left;' >&nbsp;</td></tr></tbody></table></figure><figure class='table-figure'><table><thead><tr><th><em><span>PPtP PPtP的</span></em><span> </span></th><th><span>Point-to-Point Tunneling Protocol 点对点隧道协议</span></th></tr></thead><tbody><tr><td>&nbsp;</td><td>&nbsp;</td></tr></tbody></table></figure><figure class='table-figure'><table><thead><tr><th style='text-align:left;' ><span>Action 行动</span></th><th style='text-align:left;' ><span>proto 原始</span></th><th style='text-align:left;' ><span>dport</span></th><th style='text-align:left;' ><span>sport 运动</span></th></tr></thead><tbody><tr><td style='text-align:left;' ><span>PARAM</span></td><td style='text-align:left;' ><span>47</span></td><td style='text-align:left;' >&nbsp;</td><td style='text-align:left;' >&nbsp;</td></tr><tr><td style='text-align:left;' ><span>PARAM</span></td><td style='text-align:left;' ><span>tcp 技术合作计划</span></td><td style='text-align:left;' ><span>1723</span></td><td style='text-align:left;' >&nbsp;</td></tr></tbody></table></figure><figure class='table-figure'><table><thead><tr><th><em><span>Ping 乒</span></em><span> </span></th><th><span>ICMP echo request ICMP 回显请求</span></th></tr></thead><tbody><tr><td>&nbsp;</td><td>&nbsp;</td></tr></tbody></table></figure><figure class='table-figure'><table><thead><tr><th style='text-align:left;' ><span>Action 行动</span></th><th style='text-align:left;' ><span>proto 原始</span></th><th style='text-align:left;' ><span>dport</span></th><th style='text-align:left;' ><span>sport 运动</span></th></tr></thead><tbody><tr><td style='text-align:left;' ><span>PARAM</span></td><td style='text-align:left;' ><span>icmp ICMP公司</span></td><td style='text-align:left;' ><span>echo-request echo-请求</span></td><td style='text-align:left;' >&nbsp;</td></tr></tbody></table></figure><figure class='table-figure'><table><thead><tr><th><em><span>PostgreSQL PostgreSQL的</span></em><span> </span></th><th><span>PostgreSQL server PostgreSQL 服务器</span></th></tr></thead><tbody><tr><td>&nbsp;</td><td>&nbsp;</td></tr></tbody></table></figure><figure class='table-figure'><table><thead><tr><th style='text-align:left;' ><span>Action 行动</span></th><th style='text-align:left;' ><span>proto 原始</span></th><th style='text-align:left;' ><span>dport</span></th><th style='text-align:left;' ><span>sport 运动</span></th></tr></thead><tbody><tr><td style='text-align:left;' ><span>PARAM</span></td><td style='text-align:left;' ><span>tcp 技术合作计划</span></td><td style='text-align:left;' ><span>5432</span></td><td style='text-align:left;' >&nbsp;</td></tr></tbody></table></figure><figure class='table-figure'><table><thead><tr><th><em><span>Printer 打印机</span></em><span> </span></th><th><span>Line Printer protocol printing 行式打印机协议打印</span></th></tr></thead><tbody><tr><td>&nbsp;</td><td>&nbsp;</td></tr></tbody></table></figure><figure class='table-figure'><table><thead><tr><th style='text-align:left;' ><span>Action 行动</span></th><th style='text-align:left;' ><span>proto 原始</span></th><th style='text-align:left;' ><span>dport</span></th><th style='text-align:left;' ><span>sport 运动</span></th></tr></thead><tbody><tr><td style='text-align:left;' ><span>PARAM</span></td><td style='text-align:left;' ><span>tcp 技术合作计划</span></td><td style='text-align:left;' ><span>515</span></td><td style='text-align:left;' >&nbsp;</td></tr></tbody></table></figure><figure class='table-figure'><table><thead><tr><th><em><span>RDP</span></em><span> </span></th><th><span>Microsoft Remote Desktop Protocol traffic Microsoft 远程桌面协议流量</span></th></tr></thead><tbody><tr><td>&nbsp;</td><td>&nbsp;</td></tr></tbody></table></figure><figure class='table-figure'><table><thead><tr><th style='text-align:left;' ><span>Action 行动</span></th><th style='text-align:left;' ><span>proto 原始</span></th><th style='text-align:left;' ><span>dport</span></th><th style='text-align:left;' ><span>sport 运动</span></th></tr></thead><tbody><tr><td style='text-align:left;' ><span>PARAM</span></td><td style='text-align:left;' ><span>tcp 技术合作计划</span></td><td style='text-align:left;' ><span>3389</span></td><td style='text-align:left;' >&nbsp;</td></tr></tbody></table></figure><figure class='table-figure'><table><thead><tr><th><em><span>RIP</span></em><span> </span></th><th><span>Routing Information Protocol (bidirectional) 路由信息协议（双向）</span></th></tr></thead><tbody><tr><td>&nbsp;</td><td>&nbsp;</td></tr></tbody></table></figure><figure class='table-figure'><table><thead><tr><th style='text-align:left;' ><span>Action 行动</span></th><th style='text-align:left;' ><span>proto 原始</span></th><th style='text-align:left;' ><span>dport</span></th><th style='text-align:left;' ><span>sport 运动</span></th></tr></thead><tbody><tr><td style='text-align:left;' ><span>PARAM</span></td><td style='text-align:left;' ><span>udp UDP的</span></td><td style='text-align:left;' ><span>520</span></td><td style='text-align:left;' >&nbsp;</td></tr></tbody></table></figure><figure class='table-figure'><table><thead><tr><th><em><span>RNDC</span></em><span> </span></th><th><span>BIND remote management protocol BIND 远程管理协议</span></th></tr></thead><tbody><tr><td>&nbsp;</td><td>&nbsp;</td></tr></tbody></table></figure><figure class='table-figure'><table><thead><tr><th style='text-align:left;' ><span>Action 行动</span></th><th style='text-align:left;' ><span>proto 原始</span></th><th style='text-align:left;' ><span>dport</span></th><th style='text-align:left;' ><span>sport 运动</span></th></tr></thead><tbody><tr><td style='text-align:left;' ><span>PARAM</span></td><td style='text-align:left;' ><span>tcp 技术合作计划</span></td><td style='text-align:left;' ><span>953</span></td><td style='text-align:left;' >&nbsp;</td></tr></tbody></table></figure><figure class='table-figure'><table><thead><tr><th><em><span>Razor 剃刀</span></em><span> </span></th><th><span>Razor Antispam System Razor 反垃圾邮件系统</span></th></tr></thead><tbody><tr><td>&nbsp;</td><td>&nbsp;</td></tr></tbody></table></figure><figure class='table-figure'><table><thead><tr><th style='text-align:left;' ><span>Action 行动</span></th><th style='text-align:left;' ><span>proto 原始</span></th><th style='text-align:left;' ><span>dport</span></th><th style='text-align:left;' ><span>sport 运动</span></th></tr></thead><tbody><tr><td style='text-align:left;' ><span>PARAM</span></td><td style='text-align:left;' ><span>tcp 技术合作计划</span></td><td style='text-align:left;' ><span>2703</span></td><td style='text-align:left;' >&nbsp;</td></tr></tbody></table></figure><figure class='table-figure'><table><thead><tr><th><em><span>Rdate Rdate（英语：Rdate）</span></em><span> </span></th><th><span>Remote time retrieval (rdate) 远程时间检索 （rdate）</span></th></tr></thead><tbody><tr><td>&nbsp;</td><td>&nbsp;</td></tr></tbody></table></figure><figure class='table-figure'><table><thead><tr><th style='text-align:left;' ><span>Action 行动</span></th><th style='text-align:left;' ><span>proto 原始</span></th><th style='text-align:left;' ><span>dport</span></th><th style='text-align:left;' ><span>sport 运动</span></th></tr></thead><tbody><tr><td style='text-align:left;' ><span>PARAM</span></td><td style='text-align:left;' ><span>tcp 技术合作计划</span></td><td style='text-align:left;' ><span>37</span></td><td style='text-align:left;' >&nbsp;</td></tr></tbody></table></figure><figure class='table-figure'><table><thead><tr><th><em><span>Rsync</span></em><span> </span></th><th><span>Rsync server Rsync 服务器</span></th></tr></thead><tbody><tr><td>&nbsp;</td><td>&nbsp;</td></tr></tbody></table></figure><figure class='table-figure'><table><thead><tr><th style='text-align:left;' ><span>Action 行动</span></th><th style='text-align:left;' ><span>proto 原始</span></th><th style='text-align:left;' ><span>dport</span></th><th style='text-align:left;' ><span>sport 运动</span></th></tr></thead><tbody><tr><td style='text-align:left;' ><span>PARAM</span></td><td style='text-align:left;' ><span>tcp 技术合作计划</span></td><td style='text-align:left;' ><span>873</span></td><td style='text-align:left;' >&nbsp;</td></tr></tbody></table></figure><figure class='table-figure'><table><thead><tr><th><em><span>SANE</span></em><span> </span></th><th><span>SANE network scanning SANE 网络扫描</span></th></tr></thead><tbody><tr><td>&nbsp;</td><td>&nbsp;</td></tr></tbody></table></figure><figure class='table-figure'><table><thead><tr><th style='text-align:left;' ><span>Action 行动</span></th><th style='text-align:left;' ><span>proto 原始</span></th><th style='text-align:left;' ><span>dport</span></th><th style='text-align:left;' ><span>sport 运动</span></th></tr></thead><tbody><tr><td style='text-align:left;' ><span>PARAM</span></td><td style='text-align:left;' ><span>tcp 技术合作计划</span></td><td style='text-align:left;' ><span>6566</span></td><td style='text-align:left;' >&nbsp;</td></tr></tbody></table></figure><figure class='table-figure'><table><thead><tr><th><em><span>SMB</span></em><span> </span></th><th><span>Microsoft SMB traffic Microsoft SMB 流量</span></th></tr></thead><tbody><tr><td>&nbsp;</td><td>&nbsp;</td></tr></tbody></table></figure><figure class='table-figure'><table><thead><tr><th style='text-align:left;' ><span>Action 行动</span></th><th style='text-align:left;' ><span>proto 原始</span></th><th style='text-align:left;' ><span>dport</span></th><th style='text-align:left;' ><span>sport 运动</span></th></tr></thead><tbody><tr><td style='text-align:left;' ><span>PARAM</span></td><td style='text-align:left;' ><span>udp UDP的</span></td><td style='text-align:left;' ><span>135,445</span></td><td style='text-align:left;' >&nbsp;</td></tr><tr><td style='text-align:left;' ><span>PARAM</span></td><td style='text-align:left;' ><span>udp UDP的</span></td><td style='text-align:left;' ><span>137:139</span></td><td style='text-align:left;' >&nbsp;</td></tr><tr><td style='text-align:left;' ><span>PARAM</span></td><td style='text-align:left;' ><span>udp UDP的</span></td><td style='text-align:left;' ><span>1024:65535</span></td><td style='text-align:left;' ><span>137</span></td></tr><tr><td style='text-align:left;' ><span>PARAM</span></td><td style='text-align:left;' ><span>tcp 技术合作计划</span></td><td style='text-align:left;' ><span>135,139,445</span></td><td style='text-align:left;' >&nbsp;</td></tr></tbody></table></figure><figure class='table-figure'><table><thead><tr><th><em><span>SMBswat SMBswat的</span></em><span> </span></th><th><span>Samba Web Administration Tool Samba Web 管理工具</span></th></tr></thead><tbody><tr><td>&nbsp;</td><td>&nbsp;</td></tr></tbody></table></figure><figure class='table-figure'><table><thead><tr><th style='text-align:left;' ><span>Action 行动</span></th><th style='text-align:left;' ><span>proto 原始</span></th><th style='text-align:left;' ><span>dport</span></th><th style='text-align:left;' ><span>sport 运动</span></th></tr></thead><tbody><tr><td style='text-align:left;' ><span>PARAM</span></td><td style='text-align:left;' ><span>tcp 技术合作计划</span></td><td style='text-align:left;' ><span>901</span></td><td style='text-align:left;' >&nbsp;</td></tr></tbody></table></figure><figure class='table-figure'><table><thead><tr><th><em><span>SMTP</span></em><span> </span></th><th><span>Simple Mail Transfer Protocol 简单邮件传输协议</span></th></tr></thead><tbody><tr><td>&nbsp;</td><td>&nbsp;</td></tr></tbody></table></figure><figure class='table-figure'><table><thead><tr><th style='text-align:left;' ><span>Action 行动</span></th><th style='text-align:left;' ><span>proto 原始</span></th><th style='text-align:left;' ><span>dport</span></th><th style='text-align:left;' ><span>sport 运动</span></th></tr></thead><tbody><tr><td style='text-align:left;' ><span>PARAM</span></td><td style='text-align:left;' ><span>tcp 技术合作计划</span></td><td style='text-align:left;' ><span>25</span></td><td style='text-align:left;' >&nbsp;</td></tr></tbody></table></figure><figure class='table-figure'><table><thead><tr><th><em><span>SMTPS</span></em><span> </span></th><th><span>Encrypted Simple Mail Transfer Protocol 加密的简单邮件传输协议</span></th></tr></thead><tbody><tr><td>&nbsp;</td><td>&nbsp;</td></tr></tbody></table></figure><figure class='table-figure'><table><thead><tr><th style='text-align:left;' ><span>Action 行动</span></th><th style='text-align:left;' ><span>proto 原始</span></th><th style='text-align:left;' ><span>dport</span></th><th style='text-align:left;' ><span>sport 运动</span></th></tr></thead><tbody><tr><td style='text-align:left;' ><span>PARAM</span></td><td style='text-align:left;' ><span>tcp 技术合作计划</span></td><td style='text-align:left;' ><span>465</span></td><td style='text-align:left;' >&nbsp;</td></tr></tbody></table></figure><figure class='table-figure'><table><thead><tr><th><em><span>SNMP</span></em><span> </span></th><th><span>Simple Network Management Protocol 简单的网络管理协议</span></th></tr></thead><tbody><tr><td>&nbsp;</td><td>&nbsp;</td></tr></tbody></table></figure><figure class='table-figure'><table><thead><tr><th style='text-align:left;' ><span>Action 行动</span></th><th style='text-align:left;' ><span>proto 原始</span></th><th style='text-align:left;' ><span>dport</span></th><th style='text-align:left;' ><span>sport 运动</span></th></tr></thead><tbody><tr><td style='text-align:left;' ><span>PARAM</span></td><td style='text-align:left;' ><span>udp UDP的</span></td><td style='text-align:left;' ><span>161:162</span></td><td style='text-align:left;' >&nbsp;</td></tr><tr><td style='text-align:left;' ><span>PARAM</span></td><td style='text-align:left;' ><span>tcp 技术合作计划</span></td><td style='text-align:left;' ><span>161</span></td><td style='text-align:left;' >&nbsp;</td></tr></tbody></table></figure><figure class='table-figure'><table><thead><tr><th><em><span>SPAMD</span></em><span> </span></th><th><span>Spam Assassin SPAMD traffic Spam Assassin 垃圾邮件流量</span></th></tr></thead><tbody><tr><td>&nbsp;</td><td>&nbsp;</td></tr></tbody></table></figure><figure class='table-figure'><table><thead><tr><th style='text-align:left;' ><span>Action 行动</span></th><th style='text-align:left;' ><span>proto 原始</span></th><th style='text-align:left;' ><span>dport</span></th><th style='text-align:left;' ><span>sport 运动</span></th></tr></thead><tbody><tr><td style='text-align:left;' ><span>PARAM</span></td><td style='text-align:left;' ><span>tcp 技术合作计划</span></td><td style='text-align:left;' ><span>783</span></td><td style='text-align:left;' >&nbsp;</td></tr></tbody></table></figure><figure class='table-figure'><table><thead><tr><th><em><span>SPICEproxy SPICE代理</span></em><span> </span></th><th><span>Proxmox VE SPICE display proxy traffic Proxmox VE SPICE显示代理流量</span></th></tr></thead><tbody><tr><td>&nbsp;</td><td>&nbsp;</td></tr></tbody></table></figure><figure class='table-figure'><table><thead><tr><th style='text-align:left;' ><span>Action 行动</span></th><th style='text-align:left;' ><span>proto 原始</span></th><th style='text-align:left;' ><span>dport</span></th><th style='text-align:left;' ><span>sport 运动</span></th></tr></thead><tbody><tr><td style='text-align:left;' ><span>PARAM</span></td><td style='text-align:left;' ><span>tcp 技术合作计划</span></td><td style='text-align:left;' ><span>3128</span></td><td style='text-align:left;' >&nbsp;</td></tr></tbody></table></figure><figure class='table-figure'><table><thead><tr><th><em><span>SSH</span></em><span> </span></th><th><span>Secure shell traffic 保护 shell 流量</span></th></tr></thead><tbody><tr><td>&nbsp;</td><td>&nbsp;</td></tr></tbody></table></figure><figure class='table-figure'><table><thead><tr><th style='text-align:left;' ><span>Action 行动</span></th><th style='text-align:left;' ><span>proto 原始</span></th><th style='text-align:left;' ><span>dport</span></th><th style='text-align:left;' ><span>sport 运动</span></th></tr></thead><tbody><tr><td style='text-align:left;' ><span>PARAM</span></td><td style='text-align:left;' ><span>tcp 技术合作计划</span></td><td style='text-align:left;' ><span>22</span></td><td style='text-align:left;' >&nbsp;</td></tr></tbody></table></figure><figure class='table-figure'><table><thead><tr><th><em><span>SVN</span></em><span> </span></th><th><span>Subversion server (svnserve) Subversion 服务器 （svnserve）</span></th></tr></thead><tbody><tr><td>&nbsp;</td><td>&nbsp;</td></tr></tbody></table></figure><figure class='table-figure'><table><thead><tr><th style='text-align:left;' ><span>Action 行动</span></th><th style='text-align:left;' ><span>proto 原始</span></th><th style='text-align:left;' ><span>dport</span></th><th style='text-align:left;' ><span>sport 运动</span></th></tr></thead><tbody><tr><td style='text-align:left;' ><span>PARAM</span></td><td style='text-align:left;' ><span>tcp 技术合作计划</span></td><td style='text-align:left;' ><span>3690</span></td><td style='text-align:left;' >&nbsp;</td></tr></tbody></table></figure><figure class='table-figure'><table><thead><tr><th><em><span>SixXS 六XS</span></em><span> </span></th><th><span>SixXS IPv6 Deployment and Tunnel Broker SixXS IPv6 部署和隧道代理</span></th></tr></thead><tbody><tr><td>&nbsp;</td><td>&nbsp;</td></tr></tbody></table></figure><figure class='table-figure'><table><thead><tr><th style='text-align:left;' ><span>Action 行动</span></th><th style='text-align:left;' ><span>proto 原始</span></th><th style='text-align:left;' ><span>dport</span></th><th style='text-align:left;' ><span>sport 运动</span></th></tr></thead><tbody><tr><td style='text-align:left;' ><span>PARAM</span></td><td style='text-align:left;' ><span>tcp 技术合作计划</span></td><td style='text-align:left;' ><span>3874</span></td><td style='text-align:left;' >&nbsp;</td></tr><tr><td style='text-align:left;' ><span>PARAM</span></td><td style='text-align:left;' ><span>udp UDP的</span></td><td style='text-align:left;' ><span>3740</span></td><td style='text-align:left;' >&nbsp;</td></tr><tr><td style='text-align:left;' ><span>PARAM</span></td><td style='text-align:left;' ><span>41</span></td><td style='text-align:left;' >&nbsp;</td><td style='text-align:left;' >&nbsp;</td></tr><tr><td style='text-align:left;' ><span>PARAM</span></td><td style='text-align:left;' ><span>udp UDP的</span></td><td style='text-align:left;' ><span>5072,8374</span></td><td style='text-align:left;' >&nbsp;</td></tr></tbody></table></figure><figure class='table-figure'><table><thead><tr><th><em><span>Squid 鱿鱼</span></em><span> </span></th><th><span>Squid web proxy traffic Squid Web 代理流量</span></th></tr></thead><tbody><tr><td>&nbsp;</td><td>&nbsp;</td></tr></tbody></table></figure><figure class='table-figure'><table><thead><tr><th style='text-align:left;' ><span>Action 行动</span></th><th style='text-align:left;' ><span>proto 原始</span></th><th style='text-align:left;' ><span>dport</span></th><th style='text-align:left;' ><span>sport 运动</span></th></tr></thead><tbody><tr><td style='text-align:left;' ><span>PARAM</span></td><td style='text-align:left;' ><span>tcp 技术合作计划</span></td><td style='text-align:left;' ><span>3128</span></td><td style='text-align:left;' >&nbsp;</td></tr></tbody></table></figure><figure class='table-figure'><table><thead><tr><th><em><span>Submission 提交</span></em><span> </span></th><th><span>Mail message submission traffic 邮件消息提交流量</span></th></tr></thead><tbody><tr><td>&nbsp;</td><td>&nbsp;</td></tr></tbody></table></figure><figure class='table-figure'><table><thead><tr><th style='text-align:left;' ><span>Action 行动</span></th><th style='text-align:left;' ><span>proto 原始</span></th><th style='text-align:left;' ><span>dport</span></th><th style='text-align:left;' ><span>sport 运动</span></th></tr></thead><tbody><tr><td style='text-align:left;' ><span>PARAM</span></td><td style='text-align:left;' ><span>tcp 技术合作计划</span></td><td style='text-align:left;' ><span>587</span></td><td style='text-align:left;' >&nbsp;</td></tr></tbody></table></figure><figure class='table-figure'><table><thead><tr><th><em><span>Syslog 系统日志</span></em><span> </span></th><th><span>Syslog protocol (RFC 5424) traffic 系统日志协议 （RFC 5424） 流量</span></th></tr></thead><tbody><tr><td>&nbsp;</td><td>&nbsp;</td></tr></tbody></table></figure><figure class='table-figure'><table><thead><tr><th style='text-align:left;' ><span>Action 行动</span></th><th style='text-align:left;' ><span>proto 原始</span></th><th style='text-align:left;' ><span>dport</span></th><th style='text-align:left;' ><span>sport 运动</span></th></tr></thead><tbody><tr><td style='text-align:left;' ><span>PARAM</span></td><td style='text-align:left;' ><span>udp UDP的</span></td><td style='text-align:left;' ><span>514</span></td><td style='text-align:left;' >&nbsp;</td></tr><tr><td style='text-align:left;' ><span>PARAM</span></td><td style='text-align:left;' ><span>tcp 技术合作计划</span></td><td style='text-align:left;' ><span>514</span></td><td style='text-align:left;' >&nbsp;</td></tr></tbody></table></figure><figure class='table-figure'><table><thead><tr><th><em><span>TFTP</span></em><span> </span></th><th><span>Trivial File Transfer Protocol traffic 简单文件传输协议流量</span></th></tr></thead><tbody><tr><td>&nbsp;</td><td>&nbsp;</td></tr></tbody></table></figure><figure class='table-figure'><table><thead><tr><th style='text-align:left;' ><span>Action 行动</span></th><th style='text-align:left;' ><span>proto 原始</span></th><th style='text-align:left;' ><span>dport</span></th><th style='text-align:left;' ><span>sport 运动</span></th></tr></thead><tbody><tr><td style='text-align:left;' ><span>PARAM</span></td><td style='text-align:left;' ><span>udp UDP的</span></td><td style='text-align:left;' ><span>69</span></td><td style='text-align:left;' >&nbsp;</td></tr></tbody></table></figure><figure class='table-figure'><table><thead><tr><th><em><span>Telnet Telnet的</span></em><span> </span></th><th><span>Telnet traffic Telnet 流量</span></th></tr></thead><tbody><tr><td>&nbsp;</td><td>&nbsp;</td></tr></tbody></table></figure><figure class='table-figure'><table><thead><tr><th style='text-align:left;' ><span>Action 行动</span></th><th style='text-align:left;' ><span>proto 原始</span></th><th style='text-align:left;' ><span>dport</span></th><th style='text-align:left;' ><span>sport 运动</span></th></tr></thead><tbody><tr><td style='text-align:left;' ><span>PARAM</span></td><td style='text-align:left;' ><span>tcp 技术合作计划</span></td><td style='text-align:left;' ><span>23</span></td><td style='text-align:left;' >&nbsp;</td></tr></tbody></table></figure><figure class='table-figure'><table><thead><tr><th><em><span>Telnets Telnets的</span></em><span> </span></th><th><span>Telnet over SSL 基于 SSL 的 Telnet</span></th></tr></thead><tbody><tr><td>&nbsp;</td><td>&nbsp;</td></tr></tbody></table></figure><figure class='table-figure'><table><thead><tr><th style='text-align:left;' ><span>Action 行动</span></th><th style='text-align:left;' ><span>proto 原始</span></th><th style='text-align:left;' ><span>dport</span></th><th style='text-align:left;' ><span>sport 运动</span></th></tr></thead><tbody><tr><td style='text-align:left;' ><span>PARAM</span></td><td style='text-align:left;' ><span>tcp 技术合作计划</span></td><td style='text-align:left;' ><span>992</span></td><td style='text-align:left;' >&nbsp;</td></tr></tbody></table></figure><figure class='table-figure'><table><thead><tr><th><em><span>Time 时间</span></em><span> </span></th><th><span>RFC 868 Time protocol RFC 868 时间协议</span></th></tr></thead><tbody><tr><td>&nbsp;</td><td>&nbsp;</td></tr></tbody></table></figure><figure class='table-figure'><table><thead><tr><th style='text-align:left;' ><span>Action 行动</span></th><th style='text-align:left;' ><span>proto 原始</span></th><th style='text-align:left;' ><span>dport</span></th><th style='text-align:left;' ><span>sport 运动</span></th></tr></thead><tbody><tr><td style='text-align:left;' ><span>PARAM</span></td><td style='text-align:left;' ><span>tcp 技术合作计划</span></td><td style='text-align:left;' ><span>37</span></td><td style='text-align:left;' >&nbsp;</td></tr></tbody></table></figure><figure class='table-figure'><table><thead><tr><th><em><span>Trcrt</span></em><span> </span></th><th><span>Traceroute (for up to 30 hops) traffic Traceroute（最多 30 个跃点）流量</span></th></tr></thead><tbody><tr><td>&nbsp;</td><td>&nbsp;</td></tr></tbody></table></figure><figure class='table-figure'><table><thead><tr><th style='text-align:left;' ><span>Action 行动</span></th><th style='text-align:left;' ><span>proto 原始</span></th><th style='text-align:left;' ><span>dport</span></th><th style='text-align:left;' ><span>sport 运动</span></th></tr></thead><tbody><tr><td style='text-align:left;' ><span>PARAM</span></td><td style='text-align:left;' ><span>udp UDP的</span></td><td style='text-align:left;' ><span>33434:33524</span></td><td style='text-align:left;' >&nbsp;</td></tr><tr><td style='text-align:left;' ><span>PARAM</span></td><td style='text-align:left;' ><span>icmp ICMP公司</span></td><td style='text-align:left;' ><span>echo-request echo-请求</span></td><td style='text-align:left;' >&nbsp;</td></tr></tbody></table></figure><figure class='table-figure'><table><thead><tr><th><em><span>VNC</span></em><span> </span></th><th><span>VNC traffic for VNC display’s 0 - 99 VNC 显示器的 VNC 流量 0 - 99</span></th></tr></thead><tbody><tr><td>&nbsp;</td><td>&nbsp;</td></tr></tbody></table></figure><figure class='table-figure'><table><thead><tr><th style='text-align:left;' ><span>Action 行动</span></th><th style='text-align:left;' ><span>proto 原始</span></th><th style='text-align:left;' ><span>dport</span></th><th style='text-align:left;' ><span>sport 运动</span></th></tr></thead><tbody><tr><td style='text-align:left;' ><span>PARAM</span></td><td style='text-align:left;' ><span>tcp 技术合作计划</span></td><td style='text-align:left;' ><span>5900:5999</span></td><td style='text-align:left;' >&nbsp;</td></tr></tbody></table></figure><figure class='table-figure'><table><thead><tr><th><em><span>VNCL</span></em><span> </span></th><th><span>VNC traffic from Vncservers to Vncviewers in listen mode 在侦听模式下从 Vncservers 到 Vncviewers 的 VNC 流量</span></th></tr></thead><tbody><tr><td>&nbsp;</td><td>&nbsp;</td></tr></tbody></table></figure><figure class='table-figure'><table><thead><tr><th style='text-align:left;' ><span>Action 行动</span></th><th style='text-align:left;' ><span>proto 原始</span></th><th style='text-align:left;' ><span>dport</span></th><th style='text-align:left;' ><span>sport 运动</span></th></tr></thead><tbody><tr><td style='text-align:left;' ><span>PARAM</span></td><td style='text-align:left;' ><span>tcp 技术合作计划</span></td><td style='text-align:left;' ><span>5500</span></td><td style='text-align:left;' >&nbsp;</td></tr></tbody></table></figure><figure class='table-figure'><table><thead><tr><th><em><span>Web 蹼</span></em><span> </span></th><th><span>WWW traffic (HTTP and HTTPS) WWW 流量（HTTP 和 HTTPS）</span></th></tr></thead><tbody><tr><td>&nbsp;</td><td>&nbsp;</td></tr></tbody></table></figure><figure class='table-figure'><table><thead><tr><th style='text-align:left;' ><span>Action 行动</span></th><th style='text-align:left;' ><span>proto 原始</span></th><th style='text-align:left;' ><span>dport</span></th><th style='text-align:left;' ><span>sport 运动</span></th></tr></thead><tbody><tr><td style='text-align:left;' ><span>PARAM</span></td><td style='text-align:left;' ><span>tcp 技术合作计划</span></td><td style='text-align:left;' ><span>80</span></td><td style='text-align:left;' >&nbsp;</td></tr><tr><td style='text-align:left;' ><span>PARAM</span></td><td style='text-align:left;' ><span>tcp 技术合作计划</span></td><td style='text-align:left;' ><span>443</span></td><td style='text-align:left;' >&nbsp;</td></tr></tbody></table></figure><figure class='table-figure'><table><thead><tr><th><em><span>Webcache 网络缓存</span></em><span> </span></th><th><span>Web Cache/Proxy traffic (port 8080) Web 缓存/代理流量（端口 8080）</span></th></tr></thead><tbody><tr><td>&nbsp;</td><td>&nbsp;</td></tr></tbody></table></figure><figure class='table-figure'><table><thead><tr><th style='text-align:left;' ><span>Action 行动</span></th><th style='text-align:left;' ><span>proto 原始</span></th><th style='text-align:left;' ><span>dport</span></th><th style='text-align:left;' ><span>sport 运动</span></th></tr></thead><tbody><tr><td style='text-align:left;' ><span>PARAM</span></td><td style='text-align:left;' ><span>tcp 技术合作计划</span></td><td style='text-align:left;' ><span>8080</span></td><td style='text-align:left;' >&nbsp;</td></tr></tbody></table></figure><figure class='table-figure'><table><thead><tr><th><em><span>Webmin 网络分钟</span></em><span> </span></th><th><span>Webmin traffic Webmin 流量</span></th></tr></thead><tbody><tr><td>&nbsp;</td><td>&nbsp;</td></tr></tbody></table></figure><figure class='table-figure'><table><thead><tr><th style='text-align:left;' ><span>Action 行动</span></th><th style='text-align:left;' ><span>proto 原始</span></th><th style='text-align:left;' ><span>dport</span></th><th style='text-align:left;' ><span>sport 运动</span></th></tr></thead><tbody><tr><td style='text-align:left;' ><span>PARAM</span></td><td style='text-align:left;' ><span>tcp 技术合作计划</span></td><td style='text-align:left;' ><span>10000</span></td><td style='text-align:left;' >&nbsp;</td></tr></tbody></table></figure><figure class='table-figure'><table><thead><tr><th><em><span>Whois Whois（域名管理员）</span></em><span> </span></th><th><span>Whois (nicname, RFC 3912) traffic Whois（nicname，RFC 3912）流量</span></th></tr></thead><tbody><tr><td>&nbsp;</td><td>&nbsp;</td></tr></tbody></table></figure><figure class='table-figure'><table><thead><tr><th style='text-align:left;' ><span>Action 行动</span></th><th style='text-align:left;' ><span>proto 原始</span></th><th style='text-align:left;' ><span>dport</span></th><th style='text-align:left;' ><span>sport 运动</span></th></tr></thead><tbody><tr><td style='text-align:left;' ><span>PARAM</span></td><td style='text-align:left;' ><span>tcp 技术合作计划</span></td><td style='text-align:left;' ><span>43</span></td><td style='text-align:left;' >&nbsp;</td></tr></tbody></table></figure><h2 id='copyright-and-disclaimer-版权及免责声明'><span>Copyright and Disclaimer 版权及免责声明</span></h2><p><span>Copyright © 2007-2022 Proxmox Server Solutions GmbH</span>
<span>版权所有 © 2007-2022 Proxmox Server Solutions GmbH</span></p><p><span>This program is free software: you can redistribute it and/or modify it under the terms of the GNU Affero General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.</span>
<span>该程序是自由软件：您可以根据自由软件基金会发布的 GNU Affero 通用公共许可证的条款重新分发和/或修改它，该许可证的版本 3 或（由您选择）任何更高版本。</span></p><p><span>This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more details.</span>
<span>分发该程序是希望它有用，但没有任何保证;甚至没有对适销性或特定用途适用性的默示保证。有关更多详细信息，请参阅 GNU Affero 通用公共许可证。</span></p><p><span>You should have received a copy of the GNU Affero General Public License along with this program. If not, see </span><a href='https://www.gnu.org/licenses/' target='_blank' class='url'>https://www.gnu.org/licenses/</a>
<span>您应该已经收到了 GNU Affero 通用公共许可证的副本以及此程序。如果没有，请参阅 </span><a href='https://www.gnu.org/licenses/' target='_blank' class='url'>https://www.gnu.org/licenses/</a></p><p><span>Version 8.2.3 版本 8.2.3</span>
<span>Last updated Wed Jul 31 16:58:41 CEST 2024</span>
<span>最后更新 星期三 Jul 31 16：58：41 CEST 2024</span></p></div></div>
</body>
</html>